sicutdeux@blog : ~/links/announcing-the-first-sha-1-collision $
theme:auto
sicutdeux@blog:~/links$cat announcing-the-first-sha-1-collision.md
link2026-05-20·curated link

Announcing the first SHA-1 collision

source: security.googleblog.com · read original ↗
---
source_url:
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
source_name:
security.googleblog.com
published:
2026-05-20
llm_model:
us.anthropic.claude-haiku-4-5-20251001-v1:0
status:
approved · published
---
Google announced the first practical collision attack against SHA-1, demonstrating two different PDF files with identical SHA-1 hashes using 9,223,372,036,854,775,808 SHA-1 computations.

landmark moment in cryptography. sha1’s theoretical weaknesses (known since 2005) finally became practically exploitable. the attack required significant computational resources but proved the hash function’s collision resistance was fundamentally broken, not just theoretically. important context: this didn’t mean sha1 was suddenly unsafe everywhere—it depended on threat model and how collisions mattered for your specific use case. pushed migration timelines for certificate authorities and git implementations, though some systems rode it out longer. demonstrates why cryptographic agility and algorithm rotation matter; also why you shouldn’t design systems assuming hash functions won’t break.