- I'd recommend using HMAC rather than plain MD5 to generate signatures. Using MD5 alone exposes you to length extension attacks.
- You should consider putting a timestamp or nonce in the signature parameters to prevent replay attacks.
- The fact that you're able to validate that MD5(password) is correct implies that you're storing passwords insecurely.
- Consider switching your API endpoints to use HTTPS and sending the password unhashed. Hashing the password is not helping you here: since you're using the hashed value for authentication, any attacker who has it might as well have the actual password. Luckily, I don't believe this is as useful without also knowing the PSK, but it's still a design smell.
> Using MD5 alone exposes you to length extension attacks.
Since NoteHub is anonymous, my concern is not the security, but spam protection only. The Publisher Secret Key + signatures is just a mean to allow 3rd party tools post to NoteHub without captha. That's all.
> The fact that you're able to validate that MD5(password) is correct implies that you're storing passwords insecurely.
Absolutely, the only reason I hash the passwords in the web client and advise in the API to send hashes and not plain passwords is only to kind of protect users' passwords in the context of insecure transport layer.
> Consider switching your API endpoints to use HTTPS
HTTPS costs money. NoteHub is a free toy tool, a pastebin for one-off notes. I feel like, a fancy security would be an overkill for 99% of all use cases.
Seems like a feature to me.
