Sorry, I don't mean to be harsh, but this concept is pretty much dead on arrival... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		its_so_on on June 6, 2012 \| parent \| context \| favorite \| on: LeakedIn Sorry, I don't mean to be harsh, but this concept is pretty much dead on arrival. "Check if your hash is still private and secure by sending us your hash." Well, even if the hash was secure, it isn't now! (Unless you: O get the whole database into the client O ask the user to: o reload the URL in PRIVATE browsing mode o DISCONNECT from the network o test the results with javascript o close the whole browser o reopen the browser o finally, clear flash cookies (how do I even do that?) o Only then reconnect to the network All to prevent you from either reading the results afterward or, as regards instructions to disconnect from the network, somehow changing or making a mistake in the javascript, perhaps after we or others have verified and ok'd it.) If the only answer to the objection against giving you the hash is that you don't ask for the username, you might as well ask for the password plaintext. Sorry, the concept is pretty much dead on arrival. Still, way to ship. (or 'nice shipping.' Should be our secret handshake :). Good luck on the next concept.

jperras on June 6, 2012 [–]

You should consider the password and hash that you test as already compromised and in the wild, thus making this app just a simple convenience for you and other linkedin users.

its_so_on on June 7, 2012 | [–]

But... a convenience to do what?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact