Bug 396050

Summary: Move away from SHA-1 to SHA-2
Product: [Applications] kdeconnect Reporter: rugk <7429c5c9>
Component: commonAssignee: Albert Vaca Cintora <albertvaka>
Status: CONFIRMED ---    
Severity: normal CC: nicolas.fella
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description rugk 2018-07-01 12:21:22 UTC 
As the "encryption information" in your info box indicates, you still use SHA-1 as a hash. SHA-1 is being deprecated and first collision attacks have been shown (https://shattered.it/). Of course, it is not yet broken for your use case, because that would likely require a pre-image attack, but it's better to move away from it *now*.

AFAIK in HTTPS they are already deprecated, so you should do the same.
Comment 1 Nicolas Fella 2018-08-04 17:19:38 UTC 
SHA-1 is only used for the certificate fingerprint, the encryption itself does not use SHA-1
Comment 2 rugk 2018-08-06 20:17:59 UTC 
Okay, that's good to hear, but anyway, that's still a thing to move away from.

Also HTTPS certificates signed by CAs must not use SHA-1 anymore. They have reasons to do so. :)