Google just cracked one of the building blocks of web encryption

Google researchers did something that rather seemed impossible before, they have managed to produce two different documents which have the same SHA-1 hash signatures. This shows nothing is impossible.

Why is it such a big deal? well, it has everything to do with the fact that SHA-1 is widely used across the Internet. It’s used for HTTPS certificates which are used to protect your browsing and also in Git repositories. It is also used to find if data in many forms like PDFs, emails, source code, website certificates and so on, have not been tampered with by hackers or not.

Coming back to the present, Google has managed to prove that it is, possible to create a hash collision by just altering a PDF without changing the SHA-1 hash value of it. It means that people can be tricked into thinking the altered document or duplicate document was actually the original one, which is worrisome.

In a blog post, Google wrote saying, “Today, 10 years after the SHA-1 was first introduced, we are today announcing the first practical technique for generating a collision. This represents the culmination of two years of research which sprung from a collaboration between the Google and the CWI Institute in Amsterdam”.

What is the purpose of all this?

The purpose of this entire effort and spending two years of research into this was to show the tech community that it is necessary to stop the SHA-1 usage. Google has supported the deprecation of SHA-1 for many years, especially when it comes to signing the TLS certificates, due to this type of problem. Chrome has been slowly phasing out of using SHA-1 ever since 2014.

“We hope our practical attack on this encryption type will cement that the protocol should no longer be considered secure,” the team added, pushing the tech industry towards using a safer alternative such as SHA-256.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients