> Today was announced that SHA1 is now completely broken > https://security.googleblog.com/2017/02/announcing-first-sha1- > collision.html
SHA-1 is broken *for some purposes*. That's scary enough, trust me. Let's not overstate things. For the last ten years I've been saying, "The smoke alarm has gone off and we think there's a fire. There's no danger to anyone right now, but we need to move to the exits in an orderly fashion. Start migrating away from SHA-1 right now, so that when the collisions happen you've already been using SHA256 for years." Today we've seen the fire. It's not surprising. We knew this was coming, we just didn't know when. If you're still using SHA-1, you probably need to begin migrating *right now* before the fire gets worse. If you don't know how, ask on this list and we'll help you. But don't panic: we can help. A question for the list: should we put a "Migrating to SHA256" section in the FAQ? _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
