hanno

The whole SHA1 saga has been unfolding over a course of 14 years, when Wang Xiaoyun announced a theoretical attack on SHA1 at the CRYPTO 2005 conference. Basically everything that happened since then was not surprising.

The basic message back then was: "SHA1 does not have the security properties we expect it to have. Use something better, like SHA2." This was true in 2005, it's still true in 2020. Everything else is more or less minor details.

It took a while from "we can do this attack in theory, if someone gives us a lot of money" til "we improved the attack here and there and now google gave us the money to actually do the attack".

It took some more time from "we did the first iteration of the attack" to "we did an iteration of the attack that is a bit more practically relevant".

Also it took plenty of "we know we should get rid of SHA1, but that's not as easy as it sounds". Also some people still shipped new protocols with SHA1 support despite the knownledge of the weakness (looking at Git and TLS 1.2)

There's also plenty of discussion how much these attacks matter, because... as soon as you get to the details it get's complicated. There are numerous attack scenarios that are really unlikely, but still they violate the expectations we have on secure systems.

But that's really all just minor details. None of that came as a surprise, everything was pretty much to be expected by the result from Wang in 2005.