SHA1 broken

Update: More about this in Schneiers blog, but in short, the results have been verified. My original post is below.

As reported by Bruce Schneier, SHA-1 seems to be broken (while the international community has not verified this attack yet the security team is in high regard).

This means Me, You and everyone who uses GPG/PGP should go and change the hash function from the default SHA-1 to for example RIPEMD160.

While enigmail allows for hash selection in it's UI this doesn't actually do anything (which is bad, as the real hash used in message is not readily visible either).

A workaround for this is to install latest enigmail you can get, and add to "Additional parameters for GnuPG" --digest-algo RIPEMD160, which forces the hash selection via commandline switch.

Update

While not the same thing (shorter hash for example), a practical example of MD5 collision has been demonstrated for meaningfull text documents.

Design by Inventive Design and powered by Midgard CMS.