Why SHA-1 Is Deprecated

SHA-1 was the dominant cryptographic hash function from 1995 to the mid-2010s, used in SSL/TLS certificates, code signing, Git, and countless protocols. Its deprecation represents one of the largest coordinated security migrations in computing history.

Theoretical cracks (2005):

In 2005, Xiaoyun Wang (the same researcher who broke MD5) published an attack reducing SHA-1 collision finding from the expected 2^80 operations to 2^69. While still impractical at the time, this was a clear warning sign. Cryptographers began advocating for migration to SHA-256. NIST issued guidance recommending SHA-256 for new systems and deprecating SHA-1 for digital signatures by 2010 (later extended to 2013).

The SHAttered attack (2017):

Google and CWI Amsterdam invested approximately 6,500 CPU-years and 110 GPU-years of computation (executed on Google's cloud infrastructure) to produce the first practical SHA-1 collision. They created two PDF files with identical SHA-1 hashes but different visual content. The attack proved that SHA-1 collisions were achievable by well-resourced attackers and demonstrated the technique using a commercially relevant file format.

Chosen-prefix collisions (2020):

Researchers Gaëtan Leurent and Thomas Peyrin demonstrated chosen-prefix collisions against SHA-1, a more powerful attack that allows colliding two inputs with arbitrary chosen prefixes. The cost was estimated at $45,000 in GPU rental, putting it within reach of criminal organizations. This attack type is more dangerous because it enables forging digital signatures on attacker-chosen content.

Industry deprecation timeline:

2011: NIST deprecated SHA-1 for digital signatures. 2014: Google Chrome began showing warnings for SHA-1 certificates. 2016: Major CAs stopped issuing SHA-1 SSL certificates. 2017: Chrome, Firefox, and Edge rejected SHA-1 certificates entirely. 2020: Microsoft removed SHA-1 code signing trust for Windows. Git announced migration to SHA-256 as the default object format.

Remaining SHA-1 usage:

Git still uses SHA-1 by default (migration in progress). HMAC-SHA1 remains technically secure and is required for TOTP compatibility. Some legacy embedded systems with long upgrade cycles still depend on SHA-1. For all of these, migration plans should be in place.