Google security researchers broke SHA-1
(Feb 2017)
SHA-1 was officially deprecated by NIST in 2011.
Chrome already deprecated it, and Firefox has now deprecated it as well following this announcement.
▻https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Today, more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision [a collision is when two different documents have the same hash fingerprint]. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. We’ve summarized how we went about generating a collision below. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.
It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.
Attack infographic:
The research paper:
Note: the LinkedIn data leak in 2016 revealed the company was using SHA-1 to hash user passwords.