I agree that this is bad. I am visiting this site via TOR using a very-high-entropy password that I don't use anywhere else (passwordsafes ftw!), So the worst thing that can happen to ME is that I loose access to my account because someone re-sends the hash, given that this sounds as if there is no protection against replay-attacks…
BUT: I am willing to bet one month of denial, that there are quite a few other users, for whom this is not the case. Hashing with MD5, while certainly not good, is IMO still a passing-grade (hashing with sha3 really wouldn't be any better).
What Is however really worrisome is all that extremely private stuff that could in some cases ruin peoples lives go over the wire unencrypted. If someone is able to correlate a certain account to a certain person this could be nasty and might not be as hard as you may think. Given the information that user X is a Y year old male student of subject Z in a certain medium-sized town can narrow down things A LOT.
So by all means: Please enable encryption or at least provide it as an option. It's not even that slow nowadays: If you can afford PHP, you can afford encryption. ;-)
__________________
Trans-Woman (pre-HRT)/early thirties/mostly lesbian
If you ever get the impression that I did sloppy work please send me a punishment.
Likes: Diapers, (Self-)Bondage, Chastity (but all my devices suck), Hidden public, Enemas, Anal
Strong Dislikes: Changing messy Diapers
Hates: line writing
Soft Limits: long term, chance of discovery, corner-time, messy, drinking baby formula
Hard Limits: extreme pain, full public, people I know, scat, illegal, permanent,
|