Closed stretch07 closed 6 months ago
Then I'll normalize the length. Got an idea on how to do that.
sounds good. make sure it is able to be decrypted too
Since we are now hashing IPs instead of encrypting, I'll close this issue now.
Since we are now hashing IPs instead of encrypting, I'll close this issue now.
Still quite long hash, since you just createHash("sha256").update(ip).digest("hex").toUpperCase()
. For me, my browser (chroim by the way) doesn't even send X-Requested-From
, so I honestly don't know how is my hash even generated. It gives the like as such: `
When you send a request, the receiver can always see the ip so it knows where to send the response, otherwise it wouldn't know where to send the response to. Not sure what you're worried about.
also hashes should just be the normal msgroom length? I think they use MD5?
I'm not sure how secure that would be. We don't want people to get their ips grabbed after all.
how is md5 not secure enough??? wdym secure?? hashing is one-way, and the odds of a collision are very small
now I'm really confused, how are you implementing this? is there a live example anywhere that relies on msgroom-server
not to mention you should be salting these hashes that should completely discard the risk of people blind-guessing IPs by checking if hashes match
now I'm really confused, how are you implementing this? is there a live example anywhere that relies on msgroom-server
A live server of this MsgRoom instance stands on https://nandertga.ddns.org/msgroom (redirects you to port 4096)
hm, his raspi must be off rn but ill wait and check tomorrow
hm, his raspi must be off rn but ill wait and check tomorrow
Looks like I mistook the TLD by accident, it's https://nandertga.ddns.net/msgroom/
okay yeah why the fuck are the IDs so long
@NanderTGA can you explain why MD5 hashing and salting isn't secure enough?
Currently I'm just hashing IPs. MD5 is not recommended for passwords so I thought better safe than sorry and use sha256. The truth is I am not a security expert. I do not know how secure this hashing + salting would be.
Let's list our requirements:
Before listing these I thought about aes, which is two-way, and I don't think we want that. So let's go with hashing + salting. But what algorithm is sufficiently resistant to brute force attacks? I was told MD5 is not.
But what algorithm is sufficiently resistant to brute force attacks? I was told MD5 is not.
it's not about resistance, it's about MD5 being super super fast (which you should consider as a server-side benefit), which means it doesnt take much time to generate many hashes in one go. I guess I agree with your judgement here but at the same time if you were to scale, you should probably consider MD5 because of its speed advantage
subj. not sure how to fix this