SHA-1 signatures are now considered unsafe.
Specifically, they’re considered unsafe because the authors' experience computing a freestart SHA-1 collision on Kraken (not me, a cluster named Kraken) led them to a cost estimate of US$173k to compute a real SHA-1 collision, which is cheap enough that e.g. the intelligence services of Iran, China, Russia, USA, or el Chapo Guzmán could probably compute one.
This comes as a big surprise to me because I wasn’t expecting this for several more years.
Substantially cheaper if you own a cluster already and don’t need to rent the time from Amazon.
I’m not sure the difference is substantial. Maybe a factor of two or three, or maybe sub-unity. People build their own clusters for lots of reasons and with a wide variety of levels of effectiveness, and some actually existing clusters are actually more expensive to run than renting the time from Amazon.
led them to a cost estimate of US$173k to compute a real SHA-1 collision
I believe their estimate is actually $75k-120k. $173k is Bruce Schneier’s standing estimate, mentioned on that page for contrast.
Critically that was Schneiers estimate for cost in 2018. iirc he was predicting around 750k today.
That’s an order of magnitude less…
Oh, thank you for the correction!
This is timely news, in light of the ongoing vote: https://lobste.rs/s/6ws4pa/proposal_to_allow_sha-1_certs_to_be_issued_through_2016
Yeah–I really hope this tanks the proposal; two folks on the CA/Browser forum list seem to share that hope.
Beyond getting rid of SHA-1 specifically, I also hope that in general we don’t let backwards compatibility with really old clients hold the whole Web’s security back (see also deprecation of SSL 3.0, for example).
Make that three folks, with Apple piping up from the browser vendor side
Absolutely. I think at this point, everyone who is concerned about security understands what’s at stake and why we need to break things rather than continue to require known vulnerabilities. That has definitely not always been the case.