HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
SHA-1 is officially compromised
Linc
Admin
Today, Google announced the first SHA-1 collision. In 90 days they will release the code to duplicate their attack. In practical terms, it means you need to move any SHA-1 using applications to SHA-256 as soon as possible. This includes, potentially, jsConnect connections.
1
Comments
Yep I would worry more about large organisations and states with that much computing power. Even the largest botnets would likely not be big enough or up and running long enough.
grep is your friend.
we may have to rely on Quantum cryptography in the future.
grep is your friend.
I notice you still strongly recommend it in the jsConnect docs... maybe change that ?
http://docs.vanillaforums.com/help/sso/jsconnect/seamless/
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
Thanks, I've updated that page.