NoteHub API

Some hopefully constructive criticism. :)<p>- I&#x27;d recommend using HMAC rather than plain MD5 to generate signatures. Using MD5 alone exposes you to length extension attacks.<p>- You should consider putting a timestamp or nonce in the signature parameters to prevent replay attacks.<p>- The fact that you&#x27;re able to validate that MD5(password) is correct implies that you&#x27;re storing passwords insecurely.<p>- Consider switching your API endpoints to use HTTPS and sending the password unhashed. Hashing the password is not helping you here: since you&#x27;re using the hashed value for authentication, any attacker who has it might as well have the actual password. Luckily, I don&#x27;t believe this is as useful without also knowing the PSK, but it&#x27;s still a design smell.

This looks very nice, but its somewhat inconvenient to write with the preview on top, as it makes the textarea jump around as I type. I think that side-by-side or putting the preview on the bottom would make more sense.

Nice updates! Alas, the service seems to broke: whatever I try to create a new note, I get “Bad Request”. Care to have a look? Much appreciated, and thanks a lot!<p><a href="https://github.com/chmllr/NoteHub/issues/8" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;chmllr&#x2F;NoteHub&#x2F;issues&#x2F;8</a>

Very useful. I just managed to hide panel see <a href="http://www.notehub.org/2014/1/13/where-is-the-panel" rel="nofollow">http:&#x2F;&#x2F;www.notehub.org&#x2F;2014&#x2F;1&#x2F;13&#x2F;where-is-the-panel</a><p>Seems like a feature to me.

What&#x27;s the deal with MD5 (both for signatures and password hashing)?

Just stumbled across it, nice work BTW.