SHA-1
The standard hash of the late-'90s web. Demonstrably collidable since 2017's SHAttered, but TLS, Git, and JWT all still ship code paths that touch it.
By Deepak Gupta ·
SHA-1 produces a 160-bit hash and was the default cryptographic hash for over a decade: TLS certificates, code signing, Git's content-addressable storage, every API that ever shipped HMAC-SHA1. The first practical collision arrived in 2017 (the SHAttered attack, ~110 GPU-years, two PDFs with identical SHA-1 hashes), and chosen-prefix collisions followed in 2020 for ~$45K of compute. Browsers stopped trusting SHA-1 certificates in 2017. Git is migrating to SHA-256 but the transition will take a decade. If you're verifying signatures or building anything new, SHA-1 is dead. But if you're consuming an older API that signs with HMAC-SHA1 the attack model is different (you'd need a key, not a collision) and you can still safely use it until the API is upgraded.
Recommended uses
- ·Verifying existing signatures from systems that still emit SHA-1
- ·Interoperating with legacy APIs that demand HMAC-SHA1
Known attacks / caveats
- ·SHAttered collision attack (Google + CWI, 2017)
- ·Chosen-prefix collisions for ~$45K of compute (Leurent & Peyrin, 2020)
- ·Length-extension attacks (use HMAC instead of bare H(key||msg))
Designed by
NSA, published 1995.