Fix code scanning alert - Use of a broken or risky cryptographic algorithm

Question

Closed this issue 2 years ago · 4 comments

Is MD5 secure enough to display a fingerprint to let users decide whether the certificate is trusted? Otherwise just keep SHA1

Tracking issue for:

Answer 1 · 2022-11-29T13:57:21.000Z

Browsers show SHA-1 and SHA-256 (and no MD5), so I think we can remove MD5 too:

Answer 2 · 2022-12-01T13:01:37.000Z

Well, MD5 is not proper hashing, so I understand that it might be deprecated. I would personally use SHA-1.

For the end user it's almost the same, just numbers and letters.

Answer 3 · 2022-12-01T15:02:06.000Z

Yes I'd do like Firefox and display the SHA-1 and the SHA-256 hash. So we just need to replace MD5 with SHA-256 :)

Answer 4 · 2022-12-21T15:53:21.000Z

Fixed with 683d211