[wp-hackers] Plugin update & security / privacy

[Mark Jaquith]

On Sep 24, 2007, at 12:59 AM, Matt Mullenweg wrote:


> URLs are useful unique identifiers and in my opinion the best one  
> to use on the web. You can normalize them, organize them by domains  
> and subdomains, look for odd characters or paths, create stats by  
> TLDs, map them to hosting providers, use them as a basis for a  
> crawl, and associate them with WordPress.org profiles. MD5s are  
> unique, but don't have a lot of value beyond that, and even a  
> capitalization or trailing slash change will change the whole MD5.  
> There are also things I think we haven't imagined yet that could  
> make URLs useful. Maybe a .org toolbar that ties into your .org  
> profile and makes it easy to manage multiple blogs and tie them  
> together. If by the time 2.5 comes around we're still not doing  
> anything useful with it then we can re-examine it.
>
> I don't think an MD5 would be significantly more anonymous either.  
> Anyone with a list of URLs could associate the md5 with a URL just  
> by pre-computing the URL MD5s and comparing. So they would be  
> different, but not really better. You'd have to add a salt of some  
> kind. We're hours from the release arguing about a bikeshed that  
> was checked in over a month ago.
>

[ Tried to send this ~25 minutes ago but it didn't show up.  Sorry if  
it doubleposts ]

wp_hash() uses an unchanging salt (set once in the database and not  
updated by WordPress ever).  So wp_hash('update-check') will remain  
constant for the life of the blog.  The uses of a URL identifier you  
mention are interesting -- though none seem "killer," and some of  
those uses should probably be "opt-in."

--
Mark Jaquith
http://markjaquith.com/

Covered Web Services
http://coveredwebservices.com/

WordPress Ninja @ b5media Inc
http://b5media.com/