libravatar-fans team mailing list archive

[clime <clime7@xxxxxxxxx>]

On Tuesday, 12 March 2019, Oliver Falk <oliver@xxxxxxxxxxxxxxx> wrote:

> Hey.
>
> Thanks Tristan for bringing it to the point. :-)
> Yes, federation wouldn't work - only if we do not encrypt the hash, but
> instead the mail-address (makes sense, since it's anyway encrypted) and
> Libravatar proxies the requests to the federated site. Which means, that
> these sites would only need to trust Libravatar.
> BTW. That raises the question in my mind do we know how many sites
> actually run their own Libravatar (compatible) service? I guess no!? @Francois
> Marier <francois@xxxxxxxxxxx> do you know anything?
>
> So in the end it boils down to the question if we want to build and offer
> such a feature and if, we need to think about the implementation details -
> what I built for the moment is only a raw PoC/idea.
>

Good luck.


>
> Oliver
>
>
> On Tue, Mar 12, 2019 at 3:03 PM Tristan Le Guern <tleguern@xxxxxxxxxxx>
> wrote:
>
>> On 3/12/19 12:59 PM, clime wrote:
>> > I am missing the point encrypting the hash. I could understand it for
>> > md5, which is crackable nowdays but not quite for sha256. That hash
>> > should be non-reversible in practical terms and then we can always just
>> > jump to sha512 in a few years when hardware is stronger
>>
>> SHA256 is still susceptible to rainbow tables attack so in theory a
>> dedicated spammer could still harvest libravatar users' hashes for his
>> nefarious purpose and use them to validate email addresses. This issue
>> has been raised since Gravatar's birth.
>>
>> Oliver proposes a mechanism to solve this issue but with a clear
>> drawback: in it's current form it breaks federation.
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~libravatar-fans
>> Post to     : libravatar-fans@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~libravatar-fans
>> More help   : https://help.launchpad.net/ListHelp
>>
>