[elrodeo]

Thanks a lot for you comments!

> Using MD5 alone exposes you to length extension attacks.

Since NoteHub is anonymous, my concern is not the security, but spam protection only. The Publisher Secret Key + signatures is just a mean to allow 3rd party tools post to NoteHub without captha. That's all.

> The fact that you're able to validate that MD5(password) is correct implies that you're storing passwords insecurely.

Absolutely, the only reason I hash the passwords in the web client and advise in the API to send hashes and not plain passwords is only to kind of protect users' passwords in the context of insecure transport layer.

> Consider switching your API endpoints to use HTTPS

HTTPS costs money. NoteHub is a free toy tool, a pastebin for one-off notes. I feel like, a fancy security would be an overkill for 99% of all use cases.