I'm curious if it's safe to use sha1 for an HMAC in 2018 in a platform product.
A popular vendor (Twilio) uses an HMAC with sha1 with a shared secret to validate that messages they send are indeed sent by them (see the Twilio docs on validating messages)..
In a recent audit, the use of sha1 was flagged as a potential problem.
As part of the explanation and justification for why it is OK to use hmac-with-sha1, Twilio pointed to this article about hmac with sha1, though I note that article is from 2009.
So, what say you crypto.stackexchange? Is it still safe in 2018 for an organization like Twilio to use sha1 in an HMAC?
