SHA-1 is a major form of encryption that’s only been around for nine years and it was just broken by a team of Chinese researchers. SHA-1 is used in SSH, SSL, S/Mime, VPNs and more. The Chinese did not have super computers to use, but instead used a form of distributed computing like the SETI project. Here are more details from PC World.
The scope of the problem is enormous. Virtually all application and server software that incorporates SHA-1 into its functions–including Web browsers, e-mail clients, instant messaging programs, secure shell clients, and file- and disk-encryption software–will need to be replaced or upgraded. “We all sort of knew this could happen, but we didn’t expect it this bad, this soon,” says Schneier, who also blogs about security topics.
“We’ve all been discussing what we’re going to do for some time,” says Jon D. Callas, chief technology officer for PGP, a company that makes encryption products for individual and business computer users, as well as high-end mail encryption gateways for enterprises. “The next release of PGP will incorporate SHA-256 into the software,” Callas says. “PGP 9 will likely go into beta in a few weeks.” “At PGP, we’ve been working on this for a long time, but we’re a little quicker about this kind of stuff than most people,” Callas adds. “This is not a ‘Run for the exits, the place is on fire’ kind of situation,” Callas says. “It’s ‘The fire alarm is on, this is not a drill, please move to the exits.'”