Some French and Singaporean researchers recently demonstrated a practical attack against SHA-1 hashing by performing a PGP/GnuPG impersonation attack. The team used an Nvidia GTX 970 at an estimated rental cost of $11,000 USD for a collision and $45,00 USD for a chosen-prefix collision. In total the attack took about two months to complete.
Such news is similar to the practical attacks shown in 2009 against MD5. Signature schemes and handshake security in “secure” protocols such as TLS and SSH are now known vulnerable.
It is recommended to remove SHA-1 from your selected hash choice from any tool or protocol you are using. Legacy GnuPG still uses SHA-1 by default for identity certifications.
CVE-2019-14855 was assigned to this demonstration.