This is just crazy stuff, and I amnot sure what is more crazy the Math or the Computer Science.

Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total

Some will certainly come and argue that this is #*$!, and that Google is pushing people to use other encryption algorithms to make more money...

Cryptography is a mind-boggling affair, and I'm glad other people bother with it so I don't have to :-)

@Dimitri - how would Google profit from this?

They wouldn't, of course, but I think that's his point.

More commentary

'First ever' SHA-1 hash collision calculated. All it took were five clever brains... and 6,610 years of processor time

[theregister.co.uk...]

However, it is not beyond the reach of a large corporation or intelligence agency to forge a TLS certificate, a Git repo...

Forge a GIT repo! There must be a few nervous tech companies around, wondering whether their code is safe? The door opened by this vulnerability is huge. One could steal the code outright. But far worse you could inject malware into the code without anyone ever knowing, steal customer data, spy on users, a Stuxnet type attack could be carried out without requiring physical contact with the computer (assuming code base for the attack is repoed on GIT).

My comment was a joke, as a reference to the discussions held at the HTTPS topic :-)

@Dimiri: Jokes are harder to perceive in these desperate daze! (sic)

FYI: WebmasterWorld has an intermediate certificate with a weak SHA-1 signature in its chain.

Uh Oh... Of course, for right now, probably not many people outside of Google and government actors can exploit that, but time to get the house in order.

True, but browsers are expected to drop SHA-1 soon, so you might lose your padlock.