Yesterday morning I sent an email to some people at a company I knew was about to release a product using SHA-1. I got this back last night:
Hi Joe,Just saved me an email I was about to send you a similar one…We’ve been tracking this since yesterday and evaluating what it means to us.I’ll keep you posted of our evaluation and next step plan.Thanks!
We have a meeting this afternoon on a project for which we were considering the use of SHA-1. It was, and still is, a tough call in some ways. SHA-256 generates 256 bits which in our application mean taking up a lot more of the available bandwidth. I think we’ll probably go with SHA-256 though, this is a “critical infrastructure” application after all. The consequences of inadequate security are just too great compared to the consequences of inadequate bandwidth in some older installations. The bandwidth can be increased to accommodate SHA-256 easier than we can undo the damage done by an attacker.