• 2 Posts
  • 28 Comments
Joined 4 years ago
cake
Cake day: January 20th, 2021

help-circle





  • This protects the database from a breach, but someone can set up an instance and collect the passwords from the logs:

    As far as I can tell with my very limited experience, back-end encryption is the standard. One trusts the host not to steal their passwords from the logs, so protecting the data in the case of a breach is good enough. I think that it would make sense for the standard in the Fediverse to be different. Passwords should be encrypted by the client by default, and then re-hashed back-end.

    It is also possible that what I am saying does not make sense in practical grounds - this is just something that surprised me while looking through the logs. I was under the wrong impression that plain text passwords were never accessible before looking into this topic.



  • I would be happy to see client-side password hashing implemented.

    I understand that responsibility of using unique passwords falls on the user, and maybe a truly malicious instance would be able to remove the hashing (although I think that it would be possible to check if non-hashed passwords leave the client). However, the reality is that many people still re-use their password for many websites and do not use 2FA when not required. Password hashing would reduce the level of trust required of the instance makers.

    On a similar vein, it would be nice to anonymize the ip addresses that are printed to the docker logs if possible, similar to the nginx logs. I think that this would be easier to undo for a malicious instance, but at least they would need to have a bit more technical knowledge to get to this information.






  • Aha, thanks. This might explain the gateway errors I experienced when trying to build using the 10.0.0 image.

    I also notice that the docker-compose file still points to the lemmy-ui 0.9.9 - should I build using that version, or should I upgrade my UI image to the 10.0.1?

    Last thing - if I pull the released lemmy and lemmy-ui tags (10.1.1) from github now and build my images from those, should those work fine? Or are these untested development versions?