The team behind shattered.it has recently released a practical attack on SHA-1. We want to put our users at ease by clarifying that the current attack on SHA-1 is not an attack on HMAC-SHA1.

HMAC is an specific type of messaging authentication that utilizes a hash function. Despite its use of the hash function, though, its security is substantially stronger than the security of the underlying hash function used. The lack of security against collisions on SHA-1 doesn’t imply a lack of security of HMAC-SHA1.

All of our VPN packet authentication happens with HMAC-SHA-1 and is therefore safe from the security issues found by the collision attack found on SHA-1. Therefore, for now we won’t be deprecating the use of HMAC-SHA1. We’ll nonetheless keep an eye on developments of any indication of a break on HMAC-SHA1 and will move to HMAC-SHA256 if it seems necessary.

Keep in mind you can also change your encryption settings on the “Encryption” tab on our VPN client if you want to switch your connection to use HMAC-SHA256 instead, among other choices of data encryption and handshake.

All of our certificates use SHA-256 or above and are therefore not affected by this collision attack.

We’re always committed to protecting your privacy and ensuring your security on the internet.

References:

http://cseweb.ucsd.edu/~mihir/papers/hmac-new.html

Other discussions by experts:

https://www.schneier.com/blog/archives/2005/02/sha1_broken.html

https://twitter.com/SteveBellovin/status/834756917037789185

https://twitter.com/jedisct1/status/834751306057338881

https://twitter.com/matthew_d_green/status/594302564700553216