For a reminder why we need to move away from SHA1, here are some calculations on what computing power is needed for SHA1 collision attacks. Keep in mind the worst possible attack there is from a "crime syndicate". Now multiply that capability by say 100 to get what an intelligence agency could achieve.
I think Google is sensible about wanting to kill SHA1 earlier than 2018 when a "crime syndicate can provoke a collision attack." Why should they wait until the last day even for that?
https://www.schneier.com/blog/archives/2012/10/when_will_we_...
I think Google is sensible about wanting to kill SHA1 earlier than 2018 when a "crime syndicate can provoke a collision attack." Why should they wait until the last day even for that?