Bug #2865
MD5 fingerprint displayed for certificate
| Status: | New | Start date: | 01/14/2014 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | - | |||
| Target version: | - | |||
| Component: |
Description
When new SSL certificate is supplied by the server, ChatSecure displays the MD5 and SHA-1 fingerprint.
Don't display the MD5 fingerprint because doesn't offer no protection against certificate forgeries.
MD5 considered harmful today - Creating a rogue CA certificate
http://www.win.tue.nl/hashclash/rogue-ca/
https://wiki.mozilla.org/CA:MD5and1024
https://en.wikipedia.org/wiki/MD5
I recommend displaying the SHA-1 and SHA2-256 fingerprints of the SSL certificate.
History
#1 Updated by fedor.brunner about 4 years ago
The SHA-1 hash function is also problematic, but it's still much more used then the newer SHA2-256 and most issued SSL certificates use SHA-1. There is a nice analysis of SHA-1 problems here:
https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
In 2013 Microsoft announced their deprecation policy on SHA-1 according to which Windows will stop accepting SHA-1 certificates in SSL by 2017
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx