If I go to comment at a wordpress site it says this:
"Email (required) (Address never made public)"
MD5 leaks of my email address into web pages is in fact making my address public.
Hey lmm, duh, when you make a comment under a different name but with the same email address that you think is anonymous at your local hiv testing site, you may not expect that your insurance company can track that down because wordpress has been leaking your md5 address all over the place.
But the point is that you can easily brute force that, especially if you have a list of people that you suspect may be making such comments and their email addresses.
Saying that your email is kept private by taking its MD5 sum is like expecting than an unsalted MD5 sum for a password hash in a publicly accessible password database will be secure for people with weak, brute-forcible passwords like "1234". You are providing a little bit of obfuscation, but no real security.
"Email (required) (Address never made public)"
MD5 leaks of my email address into web pages is in fact making my address public.
Hey lmm, duh, when you make a comment under a different name but with the same email address that you think is anonymous at your local hiv testing site, you may not expect that your insurance company can track that down because wordpress has been leaking your md5 address all over the place.