Four months ago, I reported that the SHA-1 hash algorithm was broken. Before that I had reported that SHA-0 and MD5 were broken. In both articles, I took pains to indicate that it wasn't necessarily time to fly into a panic.
The fact that the former can be done in less than brute force time does not necessarily imply that the latter can be done in less than brute force time, and it says even less about how one might develop an attack suitable for use against real messages. Only time will tell, but the clock is definitely ticking.
It is now time to report that the situation is worse than most people expected, and while panic still probably isn't necessary, it could be quite soon. Take a look at the picture above, and notice that SHA-1 and MD5 are used as the message authenticationan codes in the SSL ciphers available on a Domino server. Whether or not they are the only message authentication codes supported by other servers and by all the browsers I can't say for sure, but it's probably true. Even more important, though, is the fact that X.509 certificates are normally signed using one of these hashes, so if these algorithms are broken the cross-certificates that are built-into every browser must be considered vulnerable to attack, and that means that phishers will be able to spoof SSL server certificates. Update: Previous statement was not correct. See here for a better continuation of this article.
That point bears repeating: phishers will be able to spoof SSL server cerrtificates. I.e., phishers will be able to create their own signing certificate and make it's signature match the signature of a legitimate signing certificate from Verisign. They will then be able to set up their own CA and sign whatever server certificates they want, and these certificates will look 100% authentic to a browser because the CA signature will validate. They'll be able to set up servers that use those certificates, and when they lure their marks to those servers the padlock icon will be shown, the information displayed when you click on the padlock will look right, no warning messages will be put up by the browser, and yet no public CA will have any record of who bought the certificate.
Why do I say that this will happen when previously I stressed that it wasn't yet time to panic? I'll get back to that later today. I'll also spend some time on what the implications are for the world's largest PKI installed base -- the Notes and Domino users. But right now, I've got to finish loading the car to take the kids to camp.