From Bruce Schneier’s weblog: SHA-1 Broken. The same researchers that brought you a broken SHA-0, have now brought you a broken SHA-1. Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu have “broken” SHA-1 proving that collisions do exist, and that they’re relatively easy to find - relatively is a big stretch there.

I’m enough of a cryptogeek to understand some of it, but not all of it, so I’ll be waiting for the people who know better to give layman’s details, but it means a big problem with digital signatures. Granted, this technique may not allow someone to change “attack at dawn” to “attack at dusk” in any meaningful way, but what about SSL where you “sign” a random challenge?