Vince Work’s profile

Latest Comments


Thanks for removing getclicky--an acknowledgment of the security risk mentioned in comment #57, perhaps? However, there are still glaring issues with is transmitting unsalted SHA1 hashes over cleartext HTTP.

Ask yourself this. What did hackers obtain from LinkedIn and post on an online forum--the whole source of this controversy?

Answer: unsalted SHA1 hashes.

Now, what does risk leaking?

Answer: More unsalted SHA1 hashes.

To offer a solution by compounding the problem is just not right. Please reconsider.

Posted in LeakedIn.

Fri, 08 Jun 2012 at 19:08:17 GMT


Despite sound reasoning and suggestions from a few commenters here, remains flawed. Considering the hysteria around this event and the attention is getting, the following MUST be considered:

1) Many users are submitting their SHA-1s to, sent over cleartext http. This traffic can be sniffed (people checking at Starbucks or anywhere with public wifi). The list of exposed SHA-1s is now greater.

2) org's access logs will have URLs tied with IPs--and potentially the user. If a savvy hacker were to get those logs, that would be a nice prize.

3) is using analytics from getclicky. How secure is getclicky? Does getclicky store URLs and IPs? If so, another nice prize if they were obtained.

4) It only takes a malicious site to copy your site and take advantage of the situation. Case in point:

5) Considering the mass hysteria going on, 4) can easily happen with Spam.

The above are paranoid scenarios, but we're talking about security here.

It only took a few hours to make the site, right? Why not spend another couple hours refining the algorithm by doing a client-side-only check (send partial hash to server, return subset from server, compare on client). This site is apparently already doing that: .

Posted in LeakedIn.

Thu, 07 Jun 2012 at 19:07:19 GMT


If a hacker were to get into's webserver and leak it's access log, wouldn't he/she now have more SHA1's to add to the list of 6.5 million?

A page that generates the user's SHA1 (using JS) along with another (static) page that contains the exposed SHA1's for comparison would have been sufficient. Why have SHA1's go through the wire through easily sniffable, http?

Posted in LeakedIn.

Wed, 06 Jun 2012 at 22:57:37 GMT