[jluxenberg]

They're using SHA1 to sign / identify programs. Finding and exploiting a hash collision would be fairly straightforward and could have really bad consequences, since I presume I could publish my "rogue" modified program to peers fairly easily.

[liuliu]

Just out of curiosity, is there any new progress in the collision discovery of SHA1? Can you provide some references so that I can dig into?

[woodall]

Here is the questions posed to the Stack Overflow audience, however its from 2009[1]. The linked article says that they can now get collisions in about 2^52 operations- as opposed to the previous 2^69.

The National Institute of Standards and Technology has urged Federal agencies to stop using SHA1 digital signatures by the end of 2010, and instead start transitioning to the SHA2 family[3].

[1] http://stackoverflow.com/questions/1147830/understanding-sha...

[2] http://www.schneier.com/blog/archives/2005/02/sha1_broken.ht...

[3] http://csrc.nist.gov/groups/ST/hash/statement.html

[makanikai]

From the footnotes: "In addition, we will be transitioning to SHA-256 in the future. "

[adamb]

Our early decision to use SHA-1 was a balance between limitations of mobile hardware and the security landscape of the day.

Much of Skynet's core technology is actually designed for mobile platforms. Skynet essentially thinks of a desktop computer as a fancy phone with a different UI toolkit and without a cellular modem.

While switching to SHA-2 is on our to-do list, it's not as high as nailing a stellar experience for our users. Should SHA-1 erode more quickly than expected, we'll be sure to bump up the priority of that transition. We'll be sure to pivot the network before it's a real problem.