The website currently contains a SHA1 digest of the binary download. While specific collisions have not yet been found, there are strong indicators that this can be broken given the right amount of money. I understand that the threat model of bitmessage thwarts against powerful agencies and can protect people who are performing acts against malicious governments, that can be particularly powerful.
Under this threat model, the use of SHA1 should be sunset and we should be switching to SHA256 for these checksums.
The website currently contains a SHA1 digest of the binary download. While specific collisions have not yet been found, there are strong indicators that this can be broken given the right amount of money. I understand that the threat model of bitmessage thwarts against powerful agencies and can protect people who are performing acts against malicious governments, that can be particularly powerful.
Under this threat model, the use of SHA1 should be sunset and we should be switching to SHA256 for these checksums.