On 3/12/19 12:59 PM, clime wrote: > I am missing the point encrypting the hash. I could understand it for > md5, which is crackable nowdays but not quite for sha256. That hash > should be non-reversible in practical terms and then we can always just > jump to sha512 in a few years when hardware is stronger
SHA256 is still susceptible to rainbow tables attack so in theory a dedicated spammer could still harvest libravatar users' hashes for his nefarious purpose and use them to validate email addresses. This issue has been raised since Gravatar's birth. Oliver proposes a mechanism to solve this issue but with a clear drawback: in it's current form it breaks federation.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Mailing list: https://launchpad.net/~libravatar-fans Post to : libravatar-fans@lists.launchpad.net Unsubscribe : https://launchpad.net/~libravatar-fans More help : https://help.launchpad.net/ListHelp