Bug #2865

MD5 fingerprint displayed for certificate

Added by fedor.brunner about 4 years ago. Updated about 4 years ago.

Status:NewStart date:01/14/2014
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Component:

Description

When new SSL certificate is supplied by the server, ChatSecure displays the MD5 and SHA-1 fingerprint.

Don't display the MD5 fingerprint because doesn't offer no protection against certificate forgeries.
MD5 considered harmful today - Creating a rogue CA certificate
http://www.win.tue.nl/hashclash/rogue-ca/
https://wiki.mozilla.org/CA:MD5and1024
https://en.wikipedia.org/wiki/MD5

I recommend displaying the SHA-1 and SHA2-256 fingerprints of the SSL certificate.

History

#1 Updated by fedor.brunner about 4 years ago

The SHA-1 hash function is also problematic, but it's still much more used then the newer SHA2-256 and most issued SSL certificates use SHA-1. There is a nice analysis of SHA-1 problems here:
https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

In 2013 Microsoft announced their deprecation policy on SHA-1 according to which Windows will stop accepting SHA-1 certificates in SSL by 2017
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

Also available in: Atom PDF