NanderTGA
commented
1 year ago Then I'll normalize the length. Got an idea on how to do that.
Closed stretch07 closed 6 months ago
NanderTGA
commented
1 year ago Then I'll normalize the length. Got an idea on how to do that.
stretch07
commented
1 year ago sounds good. make sure it is able to be decrypted too
NanderTGA
commented
6 months ago Since we are now hashing IPs instead of encrypting, I'll close this issue now.
RixInGithub
commented
4 months ago Since we are now hashing IPs instead of encrypting, I'll close this issue now.
Still quite long hash, since you just createHash("sha256").update(ip).digest("hex").toUpperCase(). For me, my browser (chroim by the way) doesn't even send X-Requested-From, so I honestly don't know how is my hash even generated. It gives the like as such: `
NanderTGA
commented
4 months ago When you send a request, the receiver can always see the ip so it knows where to send the response, otherwise it wouldn't know where to send the response to. Not sure what you're worried about.
stretch07
commented
4 months ago also hashes should just be the normal msgroom length? I think they use MD5?
NanderTGA
commented
4 months ago I'm not sure how secure that would be. We don't want people to get their ips grabbed after all.
stretch07
commented
4 months ago how is md5 not secure enough??? wdym secure?? hashing is one-way, and the odds of a collision are very small
stretch07
commented
4 months ago now I'm really confused, how are you implementing this? is there a live example anywhere that relies on msgroom-server
stretch07
commented
4 months ago not to mention you should be salting these hashes that should completely discard the risk of people blind-guessing IPs by checking if hashes match
RixInGithub
commented
4 months ago now I'm really confused, how are you implementing this? is there a live example anywhere that relies on msgroom-server
A live server of this MsgRoom instance stands on https://nandertga.ddns.org/msgroom (redirects you to port 4096)
stretch07
commented
4 months ago hm, his raspi must be off rn but ill wait and check tomorrow
RixInGithub
commented
4 months ago hm, his raspi must be off rn but ill wait and check tomorrow
Looks like I mistook the TLD by accident, it's https://nandertga.ddns.net/msgroom/
stretch07
commented
4 months ago okay yeah why the fuck are the IDs so long
stretch07
commented
4 months ago @NanderTGA can you explain why MD5 hashing and salting isn't secure enough?
NanderTGA
commented
4 months ago Currently I'm just hashing IPs. MD5 is not recommended for passwords so I thought better safe than sorry and use sha256. The truth is I am not a security expert. I do not know how secure this hashing + salting would be.
Let's list our requirements:
Before listing these I thought about aes, which is two-way, and I don't think we want that. So let's go with hashing + salting. But what algorithm is sufficiently resistant to brute force attacks? I was told MD5 is not.
stretch07
commented
4 months ago But what algorithm is sufficiently resistant to brute force attacks? I was told MD5 is not.
it's not about resistance, it's about MD5 being super super fast (which you should consider as a server-side benefit), which means it doesnt take much time to generate many hashes in one go. I guess I agree with your judgement here but at the same time if you were to scale, you should probably consider MD5 because of its speed advantage
subj. not sure how to fix this