getDare Truth or Dare - View Single Post

Fiona · 03-16-2017, 04:50 PM

I agree that this is bad. I am visiting this site via TOR using a very-high-entropy password that I don't use anywhere else (passwordsafes ftw!), So the worst thing that can happen to ME is that I loose access to my account because someone re-sends the hash, given that this sounds as if there is no protection against replay-attacks…

BUT: I am willing to bet one month of denial, that there are quite a few other users, for whom this is not the case. Hashing with MD5, while certainly not good, is IMO still a passing-grade (hashing with sha3 really wouldn't be any better).

What Is however really worrisome is all that extremely private stuff that could in some cases ruin peoples lives go over the wire unencrypted. If someone is able to correlate a certain account to a certain person this could be nasty and might not be as hard as you may think. Given the information that user X is a Y year old male student of subject Z in a certain medium-sized town can narrow down things A LOT.

So by all means: Please enable encryption or at least provide it as an option. It's not even that slow nowadays: If you can afford PHP, you can afford encryption. ;-)

03-16-2017, 04:50 PM	#11
Fiona Distinguished Member Join Date: May 2016 Location: Central Europe Posts: 605 Blog Entries: 9	I agree that this is bad. I am visiting this site via TOR using a very-high-entropy password that I don't use anywhere else (passwordsafes ftw!), So the worst thing that can happen to ME is that I loose access to my account because someone re-sends the hash, given that this sounds as if there is no protection against replay-attacks… BUT: I am willing to bet one month of denial, that there are quite a few other users, for whom this is not the case. Hashing with MD5, while certainly not good, is IMO still a passing-grade (hashing with sha3 really wouldn't be any better). What Is however really worrisome is all that extremely private stuff that could in some cases ruin peoples lives go over the wire unencrypted. If someone is able to correlate a certain account to a certain person this could be nasty and might not be as hard as you may think. Given the information that user X is a Y year old male student of subject Z in a certain medium-sized town can narrow down things A LOT. So by all means: Please enable encryption or at least provide it as an option. It's not even that slow nowadays: If you can afford PHP, you can afford encryption. ;-) __________________ Trans-Woman (pre-HRT)/early thirties/mostly lesbian If you ever get the impression that I did sloppy work please send me a punishment. Likes: Diapers, (Self-)Bondage, Chastity (but all my devices suck), Hidden public, Enemas, Anal Strong Dislikes: Changing messy Diapers Hates: line writing Soft Limits: long term, chance of discovery, corner-time, messy, drinking baby formula Hard Limits: extreme pain, full public, people I know, scat, illegal, permanent,