396050 – Move away from SHA-1 to SHA-2

Bug 396050 - Move away from SHA-1 to SHA-2

Summary: Move away from SHA-1 to SHA-2

Status:	CONFIRMED

Alias:	None

Product:	kdeconnect
Classification:	Applications
Component:	common (other bugs)
Version First Reported In:	unspecified
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Albert Vaca Cintora

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-07-01 12:21 UTC by rugk
Modified:	2018-08-06 20:17 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description rugk 2018-07-01 12:21:22 UTC

As the "encryption information" in your info box indicates, you still use SHA-1 as a hash. SHA-1 is being deprecated and first collision attacks have been shown (https://shattered.it/). Of course, it is not yet broken for your use case, because that would likely require a pre-image attack, but it's better to move away from it *now*.

AFAIK in HTTPS they are already deprecated, so you should do the same.

Comment 1 Nicolas Fella 2018-08-04 17:19:38 UTC

SHA-1 is only used for the certificate fingerprint, the encryption itself does not use SHA-1

Comment 2 rugk 2018-08-06 20:17:59 UTC

Okay, that's good to hear, but anyway, that's still a thing to move away from.

Also HTTPS certificates signed by CAs must not use SHA-1 anymore. They have reasons to do so. :)