Ten years after the introduction of internet security standard, Secure Hash Algorithm 1 (SHA-1), researchers at the Dutch research institute CWI and Google announced Thursday that they have broken it.
The standard is widely used for digital signatures and file integrity verification, including secure credit card transactions, and is a key building block of internet security.
Cryptographic hash functions such as SHA-1 play a role in browser security, managing code repositories, and detecting duplicate files in storage.
The researchers successfully demonstrated what they termed a “collision attack,” using two different PDF files with the same SHA-1 fingerprint, but with different visible content.
According to Google, this means it is time to depreciate SHA-1, especially when it comes to signing TLS certificates, since the protocol is no longer secure. The tech firm urged the tech community to adopt “safer alternatives” such as SHA-256 and and SHA-3.