decode ip #242

Closed
opened 2021-08-12 14:31:20 +00:00 by Ghost · 3 comments

Hi! In the rare chance that the supermoderator was curious about an ip, can you pls say how to decode the hashed ip? Hashing is great for overall privacy and security, its good for superadmins to have the option tho :)

Hi! In the rare chance that the supermoderator was curious about an ip, can you pls say how to decode the hashed ip? Hashing is great for overall privacy and security, its good for superadmins to have the option tho :)

This would be great, server admins can access all IP connections anyways, and the hashes look ugly and confusing.

This would be great, server admins can access all IP connections anyways, and the hashes look ugly and confusing.

As far as I can tell, the hashing is done with Blowfish, with a salt generated from your tripseed. It wouldn't be difficult to figure out the salt as the board owner since you know your own tripseed, but it'd be almost impossible to decode the hash. If it was trivial to decode the hash, there wouldn't be much of a point to hashing at all.

I don't think TinyIB could implement this without, in association with each post, storing the raw IP in addition to the hashed IP, and storing raw IPs would introduce a lot of additional risk. Additionally, your webserver likely already keeps an access log you can check, if you needed to see the connecting IPs for the purpose of, e.g., identifying IP ranges that abuse or spam are coming from.

As far as I can tell, the hashing is done with Blowfish, with a salt generated from your tripseed. It wouldn't be difficult to figure out the salt as the board owner since you know your own tripseed, but it'd be almost impossible to decode the hash. If it was trivial to decode the hash, there wouldn't be much of a point to hashing at all. I don't think TinyIB *could* implement this without, in association with each post, storing the raw IP in addition to the hashed IP, and storing raw IPs would introduce a lot of additional risk. Additionally, your webserver likely already keeps an access log you can check, if you needed to see the connecting IPs for the purpose of, e.g., identifying IP ranges that abuse or spam are coming from.
Owner

Thanks, @ChristopherCormier. Just wanted to add that this was a very intentional design choice. I do not intend to support decrypting IP addresses.

Thanks, @ChristopherCormier. Just wanted to add that this was a very intentional design choice. I do not intend to support decrypting IP addresses.
Sign in to join this conversation.
No Milestone
No Assignees
4 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: tslocum/tinyib#242
No description provided.