415978 – KDE Connect only has SHA1 as authentication, but SHA1 is insecure, because it can be faked since 2017

Bug 415978 - KDE Connect only has SHA1 as authentication, but SHA1 is insecure, because it can be faked since 2017

Summary: KDE Connect only has SHA1 as authentication, but SHA1 is insecure, because it...

Status:	RESOLVED FIXED

Alias:	None

Product:	kdeconnect
Classification:	Applications
Component:	common (other bugs)
Version First Reported In:	unspecified
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Albert Vaca Cintora

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-01-07 22:01 UTC by DanielSchmalhofer
Modified:	2022-09-15 14:43 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description DanielSchmalhofer 2020-01-07 22:01:13 UTC

SUMMARY
SHA1 is insecure - but the only authentication method available in KDE Connect


STEPS TO REPRODUCE
Example of brokenness ob SHA1:
https://sha-mbles.github.io/
https://hackaday.com/2017/02/23/shattered-sha-1-is-broken/


SOFTWARE/OS VERSIONS
All systems

Comment 1 Nicolas Fella 2020-01-07 22:51:22 UTC

SHA1 is not used for any cryptographic authentication, it is merely used to generate a somewhat human-readable version of the other device's certificate

Comment 2 AJ Jordan 2021-07-27 06:07:09 UTC

Modern KDE Connect versions use SHA256. I suggest someone close this.