Comment 3 for bug 1288293

"As of 2012, the most efficient attack against SHA-1 is considered to be the one by Marc Stevens[32] with an estimated cost of $2.77M to break a single hash value by renting CPU power from cloud servers.[33] Stevens developed this attack in a project called HashClash,[34] implementing a differential path attack. On 8 November 2010, he claimed he had a fully working near-collision attack against full SHA-1 working with an estimated complexity equivalent to 2^57.5 SHA-1 compressions. He estimates this attack can be extended to a full collision with a complexity around 2^61."

Source: http://en.wikipedia.org/w/index.php?title=SHA-1&oldid=598619464#Attacks