SHA1 collisions proven possisble

Patrick W. Gilmore patrick at
Thu Feb 23 20:03:34 UTC 2017

On Feb 23, 2017, at 2:59 PM, Ca By <cb.list6 at> wrote:
> On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder <shortdudey123 at> wrote:
>> Coworker passed this on to me.
>> Looks like SHA1 hash collisions are now achievable in a reasonable time
>> period
>> -Grant
> Good thing we "secure" our routing protocols with MD5

MD5 on BGP considered Harmful.

> :)


More seriously: The attack (or at least as much as we can glean from the blog post) cannot find a collision (file with same hash) from an arbitrary file. The attack creates two files which have the same hash, which is scary, but not as bad as it could be.

For instance, someone cannot take Verisign’s root cert and create a cert which collides on SHA-1. Or at least we do not think they can. We’ll know in 90 days when Google releases the code.


More information about the NANOG mailing list