Bug 415978

Summary: KDE Connect only has SHA1 as authentication, but SHA1 is insecure, because it can be faked since 2017
Product: [Applications] kdeconnect Reporter: DanielSchmalhofer <hallo>
Component: commonAssignee: Albert Vaca Cintora <albertvaka>
Status: RESOLVED FIXED    
Severity: normal CC: alex, nicolas.fella, valdikss
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description DanielSchmalhofer 2020-01-07 22:01:13 UTC 
SUMMARY
SHA1 is insecure - but the only authentication method available in KDE Connect


STEPS TO REPRODUCE
Example of brokenness ob SHA1:
https://sha-mbles.github.io/
https://hackaday.com/2017/02/23/shattered-sha-1-is-broken/


SOFTWARE/OS VERSIONS
All systems
Comment 1 Nicolas Fella 2020-01-07 22:51:22 UTC 
SHA1 is not used for any cryptographic authentication, it is merely used to generate a somewhat human-readable version of the other device's certificate
Comment 2 AJ Jordan 2021-07-27 06:07:09 UTC 
Modern KDE Connect versions use SHA256. I suggest someone close this.