A couple of weeks ago a report by Google came out stating they had managed to crack the SHA-1 (Secure Hash Algorithm 1) This Hash function was original developed by the NSA in 1993. And it is still used by a lot of websites today. While there are many newer alternatives that offer greater security and require a considerable amount of computing power to crack. There is yet to be widespread adoption of these protocols.
These issue with the Hash Collision is due to the idea behind SHA-1, in that each file would be given a unique header. While in 1993 when this was first developed the vision that there could potentially be a collision would have seemed impossible due to the amount of computing power required to even entertain this. The fact that computer use was no where near as common as it is today. But although Google has managed to force a collision between 2 items having the same SHA-1 hash it did however take them 2 year. Aswell as support from the university of Amsterdam. Combine the resources and computing power both a university and Google have and given it took them 2 years to achieve this means as an out-and-out security vulnerability it is not all that feasible. There is relatively limited risk that an attacker would be able to force a collision and potentially cause damage.<img class=”size-full wp-image-97 aligncenter” src=”https://michaeltalkstech.files.wordpress.com/2017/03/googlecollisioncrackimae.png” alt=”GoogleCollisionCrackImae” width=”460″ height=”458″> Source: <a href=”https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html” target=”_blank” rel=”noopener noreferrer”>Google Security Blog</a>
Another reason this isn’t to much of a concern to the integrity of cyber security in my option is that SHA-2 is readily available, and already deployed. Meaning that even if the collision is able to be recreated in a shorter amount of time there is already an upgrade path that will offer much greater security and also not lead to a time between SHA-1 being vulnerable and SHA-2 being developed.
The Creator of both Linux and Git was warned about the possible vulnerability with SHA-1 in 2005 and proceed to continue using it for Git. This is because he felt it would be far to expensive to implement a change. Git has layered security meaning that one layer might be compromised but that isn’t the end game.
In my opinion although it has been cracked in a lab environment the real world attack vectors of this could be considered limited. Even many state sponsored attacks would be unable to dedicated the resources required.
And furthermore companies such as Google and Microsoft already use SHA-256 so the avarage use who uses YouTube and Gmail will have nothing to worry about in regards to their online privacy and security.