NoteHub API
notehub.orgSome hopefully constructive criticism. :)
- I'd recommend using HMAC rather than plain MD5 to generate signatures. Using MD5 alone exposes you to length extension attacks.
- You should consider putting a timestamp or nonce in the signature parameters to prevent replay attacks.
- The fact that you're able to validate that MD5(password) is correct implies that you're storing passwords insecurely.
- Consider switching your API endpoints to use HTTPS and sending the password unhashed. Hashing the password is not helping you here: since you're using the hashed value for authentication, any attacker who has it might as well have the actual password. Luckily, I don't believe this is as useful without also knowing the PSK, but it's still a design smell.
Thanks a lot for you comments!
> Using MD5 alone exposes you to length extension attacks.
Since NoteHub is anonymous, my concern is not the security, but spam protection only. The Publisher Secret Key + signatures is just a mean to allow 3rd party tools post to NoteHub without captha. That's all.
> The fact that you're able to validate that MD5(password) is correct implies that you're storing passwords insecurely.
Absolutely, the only reason I hash the passwords in the web client and advise in the API to send hashes and not plain passwords is only to kind of protect users' passwords in the context of insecure transport layer.
> Consider switching your API endpoints to use HTTPS
HTTPS costs money. NoteHub is a free toy tool, a pastebin for one-off notes. I feel like, a fancy security would be an overkill for 99% of all use cases.
This looks very nice, but its somewhat inconvenient to write with the preview on top, as it makes the textarea jump around as I type. I think that side-by-side or putting the preview on the bottom would make more sense.
Nice updates! Alas, the service seems to broke: whatever I try to create a new note, I get “Bad Request”. Care to have a look? Much appreciated, and thanks a lot!
Very useful. I just managed to hide panel see http://www.notehub.org/2014/1/13/where-is-the-panel
Seems like a feature to me.
What's the deal with MD5 (both for signatures and password hashing)?
Spam/flood protection.
I think it was more of a question of why md5 versus something a bit stronger like sha256?
So that it would be easier for the NSA to crack it?
Just stumbled across it, nice work BTW.