Why SHA-1 Is Dead: New Prefix Collision Attack Signals Its End

Last week a team of researchers from Singapore and France spent under $100,000 to achieve the first prefix‑collision attack on SHA‑1, allowing an attacker to freely choose the prefixes of two colliding messages. This makes it feasible to forge SHA‑1‑signed documents, including commercial files and TLS certificates.

SHA‑1 is a hash algorithm primarily used for digital signatures, converting a message into a fixed‑length fingerprint that verifies integrity. In theory, different messages should never produce the same hash, but a collision occurs when they do, enabling attackers to substitute malicious files for legitimate ones.

The End of the SHA‑1 Era

In 2017 Google released two different PDF files (PDF1 and PDF2) that shared the same SHA‑1 hash, a collision known as the “SHAttered” attack. The attack was 100,000 times faster than brute‑force methods and cost only about $110,000 on Amazon’s cloud platform.

Today the SHA‑1 standard, once widely used for digital signatures, file integrity verification, and protecting digital assets such as credit‑card transactions and software updates, has been proven capable of producing colliding PDF files.

Still Widely Used

Despite warnings years ago about SHA‑1’s weaknesses, many SSL/TLS services still rely on it as a basic cryptographic primitive. Android system apps, upgrade packages, bootloaders, and other modules often use RSA + SHA‑1 for signing.

Any application that depends on SHA‑1 for digital certificates, email PGP/GPG signatures, software signing, ISO checksums, deduplication, Git repositories, and similar uses may be vulnerable.

Stop Using SHA‑1 Immediately

Major browsers such as Chrome, Firefox, and Safari stopped trusting SHA‑1‑signed HTTPS certificates at the beginning of 2017. Yet in February 2017 about 110,000 SHA‑1 certificates (0.7 % of all public certificates) were still in use.

Security researchers and companies have been urging developers to replace SHA‑1 for years; the recent collision attack should serve as a final warning.

Alternative hash algorithms such as SHA‑224, SHA‑256, SHA‑384, SHA‑512, SHA‑512/224, SHA‑512/256 have been available since 2001, and China’s SM3 algorithm has also proven secure.

In summary, any product that still uses SHA‑1 for message digests should migrate to these stronger hash functions without delay.