Fake News - no cure for that?

I recently read about a “massive fake news machine” that the German Foreign Ministry claims to have uncovered (see below). It can hardly be distinguished from legitimate news.

It occurred to me spontaneously that if you are not able to stop manipulated news, you should at least be able to identify legitimate news.

The idea is simple: let’s create a digital network of trust using cryptographic means.

From here it gets technical…

The simplest form of signing is the calculation of a hash values. So let’s assume I want to tweet as @holtwick: “I don’t like fake news!” and my secret would be “Gurkensalat” (usually called “salt”). In the terminal it would go like this:

echo -n "@holtwick I don't like fake news! Gurkensalat" | shasum -a 256

Alternatively with OpenSSL:

echo -n "@holtwick I don't like fake news! Gurkensalat" | openssl dgst -sha256

The result is:


This can also be calculated before I tweet it. Then I take part of the result, e.g. the first 8 characters, and send it with the message, perhaps with a distinguishing feature such as a preceding ~ character:


I don’t like fake news! ~55bc8fe5

Now it’s time to verify something like this. A small service on your own website would be conceivable. Here is a small example in PHP of what an online check could look like:


// This one is top secret :)
$salt = "Gurkensalat";

// Normalize whitespace to avoid copy paste issues
$sample = trim(preg_replace('/[\t\n\r\s]+/', ' ', $_GET["text"])) . " " . $salt;

// Calculate SHA256 and only use the first 8 chars
$hash = substr(hash('sha256',  $sample), 0, 8);

// Compare hashes and return result
echo strcmp($_GET["hash"], $hash) == 0 ? "ok" : "invalid";

The resulting URL would then be: https://holtwick.de/experiments/id.php?text=@holtwick%20I%20don%27t%20like%20fake%20news!&hash=55bc8fe5

Try it out:

Ok, that was a relatively primitive implementation to illustrate the idea. For a serious application, other techniques would certainly be used, such as a public key procedure or blockchains. Of course, there are already services that do something similar, as this overview from the Federal Network Agency shows.


I’m no cryptography expert and I’m sure I’ve overlooked some attack vectors, but I still think that there are technical possibilities that can at least make it more difficult to claim things in a false name.


Published on February 7, 2024

Back to posts listing