A collision in the SHA1 hashing algorithm has now been demonstrated. I just saw this article retweeted and wanted to share it with the developer community on Steemit as well:
At death’s door for years, widely used SHA1 function is now dead.
Some key paragraphs that stood out to me:
Now, researchers have demonstrated a similar type of real-world attack against SHA1, which ironically was widely adopted after the insecurity of MD5 became well-known. The SHA1 collision is documented in a research paper published Thursday. It presents two PDF files that, despite displaying different content, have the same SHA1 hash. The researchers warned that the same technique—which costs as little as $110,000 to carry out on Amazon's cloud computing platform—could be used to create collisions in GIT file objects or digital certificates.
Fortunately, certificates to HTTPS-protected websites aren't likely to be affected. Since the beginning of this year, browser-trusted certificate authorities have been barred from relying on SHA1 to sign TLS certificates they issue.
Consistent with Google's security disclosure policy, the source code for performing the collision attack will be published in 90 days. That means Git and an unknown number of other widely used services that rely on SHA1 have three months to wean themselves and their users off the insecure function
That last one is huge.
Declining payout, just posting as an FYI.