First of all, I'm not sure how anyone can 'crack' a hash function. Yes, hardwares are getting more powerful & we've more sophisticated hash algorithms but finding the domain of collision through probability & designing a rouge payload to design an PoC exploit shouldn't be called 'cracking', IMHO. Interesting reading: https://malicioussha1.github.io/ https://sites.google.com/site/itstheshappening/
Maybe it helps to put it this way: If you can achieve what the hash function is designed to prevent, then it can be considered "cracked".
@Satoshi: That looks like Penn Station. (Or, around the corner from it.) You should see that place around rush hour...It's a zoo.
SHA-1 being exploited would mean some system was broken because of SHA-1. AFAIK, outside of these theoretical weaknesses, it hasn't, yet. Just don't use it anymore when you can also use SHA-2.
I think what the article talks about is excessive collisions in the hash algorithm of SHA-1, (IIRC. I read it around when Tito first posted it) Excessive collisions would mean that two documents could possibly be assigned the same hash value. I suppose in very specific instances, it could be used to exploit something. Edit: This is a little scary. http://bits.blogs.nytimes.com/2008/12/30/outdated-security-software-threatens-web-commerce/?_r=0
Being able to find 2 inputs that give colliding outputs is still a whole different thing than finding a colliding input for another fixed input. Edit: http://crypto.stackexchange.com/questions/29695/what-is-a-freestart-collision So while SHA-1 isn't trivially broken as to cause real problems, it's too weak to use for new implementations. And you probably shouldn't use it for signing mails with legal documents and such. Edit: That link is about MD5 which nobody should use anymore. But it's basically the same thing happening.
We've long known that SHA-1 is broken. https://eprint.iacr.org/2015/967.pdf http://www3.ntu.edu.sg/CorpComms2/D...ctical SHA-1 Collision Attack Months Away.pdf http://social.technet.microsoft.com...in-active-directory-certificate-services.aspx https://en.wikipedia.org/wiki/SHA-1 https://en.wikipedia.org/wiki/MD5 https://en.bitcoin.it/wiki/Hashcash https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-checksums https://sites.google.com/site/itstheshappening http://eprint.iacr.org/2015/967
Let the SHA1 mofo die... together with statcounter https://www.schneier.com/blog/archives/2005/02/sha1_broken.html