diff --git a/NEWS b/NEWS
index cfcfc97f..bfc03050 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
   this also means it's no longer possible to override attribute
   transforms in later modules.  No internal code was using this
   but this may break some clients.
+# We now use SHA-1 to identify cached definitions, instead of MD5.
 ! Support display:inline-block
 ! Support for more white-space CSS values.
 ! Permit underscores in font families
diff --git a/library/HTMLPurifier/Config.php b/library/HTMLPurifier/Config.php
index 648115b9..b4f43bb5 100644
--- a/library/HTMLPurifier/Config.php
+++ b/library/HTMLPurifier/Config.php
@@ -189,7 +189,7 @@ class HTMLPurifier_Config
     }
 
     /**
-     * Returns a md5 signature of a segment of the configuration object
+     * Returns a SHA-1 signature of a segment of the configuration object
      * that uniquely identifies that particular configuration
      * @note Revision is handled specially and is removed from the batch
      *       before processing!
@@ -199,18 +199,18 @@ class HTMLPurifier_Config
         if (empty($this->serials[$namespace])) {
             $batch = $this->getBatch($namespace);
             unset($batch['DefinitionRev']);
-            $this->serials[$namespace] = md5(serialize($batch));
+            $this->serials[$namespace] = sha1(serialize($batch));
         }
         return $this->serials[$namespace];
     }
 
     /**
-     * Returns a md5 signature for the entire configuration object
+     * Returns a SHA-1 signature for the entire configuration object
      * that uniquely identifies that particular configuration
      */
     public function getSerial() {
         if (empty($this->serial)) {
-            $this->serial = md5(serialize($this->getAll()));
+            $this->serial = sha1(serialize($this->getAll()));
         }
         return $this->serial;
     }