

NoteHub API - elrodeo
http://www.notehub.org/api

======
xnxn
Some hopefully constructive criticism. :)

\- I'd recommend using HMAC rather than plain MD5 to generate signatures.
Using MD5 alone exposes you to length extension attacks.

\- You should consider putting a timestamp or nonce in the signature
parameters to prevent replay attacks.

\- The fact that you're able to validate that MD5(password) is correct implies
that you're storing passwords insecurely.

\- Consider switching your API endpoints to use HTTPS and sending the password
unhashed. Hashing the password is not helping you here: since you're using the
hashed value for authentication, any attacker who has it might as well have
the actual password. Luckily, I don't believe this is as useful without also
knowing the PSK, but it's still a design smell.

~~~
elrodeo
Thanks a lot for you comments!

> Using MD5 alone exposes you to length extension attacks.

Since NoteHub is anonymous, my concern is not the security, but spam
protection only. The Publisher Secret Key + signatures is just a mean to allow
3rd party tools post to NoteHub without captha. That's all.

> The fact that you're able to validate that MD5(password) is correct implies
> that you're storing passwords insecurely.

Absolutely, the only reason I hash the passwords in the web client and advise
in the API to send hashes and not plain passwords is only to kind of protect
users' passwords in the context of insecure transport layer.

> Consider switching your API endpoints to use HTTPS

HTTPS costs money. NoteHub is a free toy tool, a pastebin for one-off notes. I
feel like, a fancy security would be an overkill for 99% of all use cases.

------
nadaviv
This looks very nice, but its somewhat inconvenient to write with the preview
on top, as it makes the textarea jump around as I type. I think that side-by-
side or putting the preview on the bottom would make more sense.

~~~
sorahn
[http://dillinger.io/](http://dillinger.io/)

------
rhythmvs
Nice updates! Alas, the service seems to broke: whatever I try to create a new
note, I get “Bad Request”. Care to have a look? Much appreciated, and thanks a
lot!

[https://github.com/chmllr/NoteHub/issues/8](https://github.com/chmllr/NoteHub/issues/8)

------
motyar
Very useful. I just managed to hide panel see
[http://www.notehub.org/2014/1/13/where-is-the-
panel](http://www.notehub.org/2014/1/13/where-is-the-panel)

Seems like a feature to me.

------
sjustinas
What's the deal with MD5 (both for signatures and password hashing)?

~~~
elrodeo
Spam/flood protection.

~~~
stuff4ben
I think it was more of a question of why md5 versus something a bit stronger
like sha256?

~~~
sajithdilshan
So that it would be easier for the NSA to crack it?

------
jalan
Just stumbled across it, nice work BTW.

