Electrum: WARNING: SHA1 is insecure

something I know for a fact reported on by Hak5 is that numerous inputs can return the same hash value.
if you like I can post the YT video on it :)

This code is for verifying BIP70 payment requests. BIP70 is old, and obsolete, no one uses it anymore.

This is only vulnerable if the payment request is signed by a domain that uses an SSL/TLS cert that uses SHA1 for the algorithm.

Most domains have moved on from SHA1.

So to hit this code:

1. The domain that signed the payment request needs to have a cert that uses SHA1.
2. The electrum user needs to pay money to a BIP70 payment request from that domain.

iirc the only place using BIP70 is Bitpay, and their domain uses SHA512...

Soooo you will never hit this code. But it needs to be there for backwards compatibility sake.

alright thank you :)

honestly, I think anyone still using SHA1 has many other factors to worry about like the protocol itself being removed from supporting modules like CryptoDome or Hashlib...
I assume you'll wait till that happens before removing BIP70 support here right??

I think BIP70 support should be kept until there is a proper replacement. Bitpay still uses it.

we often hear from users who get robbed by clipboard malware.
I believe bip70 prevents some of those attacks.

I believe bip70 prevents some of those attacks.

has anyone informed them to move up to at least SHA256??

and yeah I may have been a bit quick to jump on the removal bandwagon...
all that really needs to be done is they improve it's security.

has anyone informed them to move up to at least SHA256??

Go to https://bitpay.com and look at their cert. They use SHA256.

Bitpay

They removed BIP70 restrictions since Core removed it in 0.19.
Now they are using this: https://bitpay.com/blog/json-payment-protocol/