Google’s security team’s main function is to keep Google’s own products and customers safe from threats on the Internet, but as part of their side function of keeping the Internet in general secure, they’ve managed to put a hole in the SHA-1 encryption hash that’s been common on the Internet since its inception. Security researchers and hackers have managed to attack SHA-1 systems before, but Google’s attack marks the first full collision, which means a full penetration of the hash wherein outside code manages to replicate a value the hash is looking for. In other words, this means that SHA-1, which has been debated as theoretically unsafe in the past, has now been proven as being insecure for the first time ever. Google will release the code that allowed them to perform the hack in 90 days, which means any websites or resources that have not migrated to other types of encryption by then may face attacks.
Google’s attack was developed over the course of two years, in collaboration with researchers from the CWI Institute of Amsterdam. Google is releasing two PDF files with identical hashes and different contents as a proof of concept for their attack. While some may argue that such an attack and the resulting collision may have never been brought into existence or would have at least taken many years longer without this intervention, there’ve been a lot of debates over how secure and reliable SHA-1 is for years. By creating an attack and scheduling a date of its public release, Google is essentially forcing those who still use this outdated security method to change their ways or face potential attacks.
The SHA-1 hash has been around in various forms since being invented by the United States government in 1995 and played an integral role in a number of core security and general computing functions ever since then. Things like detecting duplicate files, user authentication, and code repository management are just some of the many functions that security hashes can perform. While many websites, program creators, and public and private resources have moved on from SHA-1 to the more secure SHA-2 and other hash variants, there are still many of those that are still clinging to SHA-1, who will all be in severe danger of an attack when Google releases their code publicly.
