The price of producing SHA1 collisions has gotten cheaper with a recent demonstration of "chosen prefix" attacks producing SHA1 collisions (archived). The method demonstrated is alleged to be roughly ten times less expensive than the one that produced the first SHA1 collisions back in 2017.
 |
Qntra - Herald Of The Most Serene Republic |
Apropos of this: I found that a number of vtronics folks are still emitting SHA-1 GPG sigs. Please fix your configs, folks.
Incidentally, AFAIK all versions of GPG will accept SHA1 "subkey binding signatures", which means that one can inexpensively take a third party's public key and produce another, which contains an enemy-generated subkey in addition to your legitimate one, and will still emit "gpg: Good signature from "You foo@bar…" using RSA key ID yourgenuinekeyid" when a message signed with the glued-on subkey is run through gpg –verify. Such a diddled key will return "valid" on both genuine (signed by your genuine priv.) and enemy-generated sigs.
The correct pill against this is to finally throw out the "subkeys" and "bindings" nonsense and distribute fixed-modulus public keys.