[oconnor663]

Something about multihash makes me worry it's a security risk. Like I worry that it encourages this mistake:

1. Define a new protocol with multihash somewhere in it.

2. Import a super convenient multihash library.

3. Verify all hashes with a simple library function.

That sounds super natural and convenient to me, but if it means that you support MD4 by default, then you've introduced a downgrade attack into your protocol.

[lgierth]

You can lock it down to specific hash functions no problem.

[stouset]

If I’ve learned anything from being in this field it’s that:

  1) many if not most implementations will support lots of algorithms by default, and
  2) as a result, approximately zero users will lock it down

[acdha]

3) the users who do lock it down will be harangued about not being compatible with less secure versions barring a major incident

[oconnor663]

Yeah that's exactly what I'm worried about. The nature of the beast makes it tricky to define a safe default.