I must admit. This is so true. When checking hashes I tend to just look at the first and last chars. If there was a difference id likely miss it.
-
-
-
Everyone does that.. - “starts with eb4f ends with 77ac?” - “yup, looks good.”
-
does nobody else pick some random place in the hash and check a few characters from there? I scribbled some notes on an idea based on that at https://thejh.net/written-stuff/safe-short-hash … some time ago
-
It’s hard to count in, so I don’t think ppl do. It would be better to display a string of words, since that is easier to check. Loads of Tor hidden services use brute force to get the first 7-8 digits of the address of the site they’re impersonating
-
I wonder if you'd likely notice by accident though. Often there will be some (non-hash) identifier of a number of hex digits where the first and last few characters are the same, but the center just doesn't look right, so I check more carefully.
কথা-বার্তা শেষ
নতুন কথা-বার্তা -
-
-
That's why a computer should check the validity of the hash, not a human.
-
It’s why the hash should be represented in a human friendly form. And the computer should check the hash where possible. Typically it isnout or band though, eg verifying fingerprints for OTR or Signal.
-
http://Blockchair.com renders hashes as some first digits, some last digits, and series of color bars between, each representing 6 hexadecimals, using standard css rgb schema. Take a look
-
Sounds like it would be hard to send out of band. “Mauve mauve dark pink, light red, indigo, purple”... and not color blind friendly :)
-
I bet you won t fool into 'same' hashes even a colorblind person in reasonable time with this. Per sending hash by voice, nothing can be done, alphabravo
- কথা-বার্তা শেষ
নতুন কথা-বার্তা -
-
-
What other possible representations could we try? A color gradient might work. Sure it will be hard to spot minor changes but a near collision (just a few bits off) should be unlikely.
-
Yeah, that is probably the least bad idea. But it's not as fun. :/
-
Yeah, it is just more user friendly and easier to check manually via and out of band channel. ;-/
কথা-বার্তা শেষ
নতুন কথা-বার্তা -
-
-
1. Humans should not be comparing hashes. 2. If humans have to compare hashes, they should be taught not to compare the hashes directly but instead to compare a hash of the hashes.
-
How do you verify a Signal fingerprint?
-
qr code + camera
কথা-বার্তা শেষ
নতুন কথা-বার্তা -
-
-
I like copying them right above each other. It's easy to see pattern mismatches then, and to compare them in various places.
-
Only works if the hash strings are on the same device.
-
Not like you can't transport one of them but inconvenient.
-
well… often the whole reason for verifying fingerprints is to establish a (secure) channel to transport a message. So you cannot use it if you do not have it yet.
কথা-বার্তা শেষ
নতুন কথা-বার্তা -
লোড হতে বেশ কিছুক্ষণ সময় নিচ্ছে।
টুইটার তার ক্ষমতার বাইরে চলে গেছে বা কোনো সাময়িক সমস্যার সম্মুখীন হয়েছে আবার চেষ্টা করুন বা আরও তথ্যের জন্য টুইটারের স্থিতি দেখুন।
