Avatar
utxo the webmaster πŸ§‘β€πŸ’» 2y ago

If I sha256 hash your IP on my site to identify you, does that count as tracking your IP? πŸ€”

Reply to this note

Please Login to reply.

Discussion

Avatar
BHN 🍁 2y ago

If you can unhash it, yes.

Though you make the assumption its my IP that I use.

Avatar
Russo 2y ago

Of course πŸ˜…

Avatar
ContrarianAgrarian 2y ago

Do I get to set a password and salt? I trust you are a good actor but I’d rather whatever is developed doesn’t require trust in the host or a third party to not have a rainbow table for IP addresses.

Avatar
utxo the webmaster πŸ§‘β€πŸ’» 2y ago

This would be for unauthenticated users trying to brute force sign ups or logins, once you're logged in I identify you with the email you used.

Avatar
ben 2y ago

rate limiting by ip is common and good

Avatar
utxo the webmaster πŸ§‘β€πŸ’» 2y ago

We still gonna hash it and maximum cache for 1 minute, I think it's a reasonable trade off.

Avatar
ContrarianAgrarian 2y ago

Seems reasonable enough.

Avatar
ContrarianAgrarian 2y ago

Email? Will users be able to sign up with an npub? 😁

Avatar
sommerfeld 2y ago

You can match different usages accross time so yes

Avatar
ContrarianAgrarian 2y ago

Great point. A hash might be an otherwise indecipherable string but if it’s constant it’s an identifier nevertheless.

Avatar
Vitor Pamplona 2y ago

Yes, because you can receive an order from the state to provide everything you have about a given IP. You can hash the requested IP to find somebody's past actions and deliver it.

Avatar
utxo the webmaster πŸ§‘β€πŸ’» 2y ago

I need to do rate limiting, I don't see anyway around this. But since I only cache it for one minute at a time I'll only ever have max 1 minute of data to potentially leak

Avatar
Jameson Lopp 2y ago

Depends on if you salt it.

Avatar
utxo the webmaster πŸ§‘β€πŸ’» 2y ago

Definitely will be salting and salts only last 1 minute