add [hash] to isso.conf and update some strings

share/isso.conf

@@ -4,7 +4,7 @@
 [general]
 
 # file location to the SQLite3 database, highly recommended to change this
-# location to a non-temporary location
+# location to a non-temporary location!
 dbpath = /tmp/comments.db
 
 # required to dispatch multiple websites, not used otherwise.
@@ -30,6 +30,14 @@ max-age = 15m
 
 # Select notification backend for new comments. Currently, only SMTP is
 # available.
+# Select notification backend(s) for new comments, separated by comma.
+# Available backends:
+#
+# stdout
+#     Log to standard output. Default, if none selected.
+# smtp
+#     Send notifications via SMTP on new comments with activation (if
+#     moderated) and deletion links.
 notify =
 
 
@@ -57,8 +65,8 @@ listen = http://localhost:8080
 # Only works with the internal webserver.
 reload = off
 
-# show 10 most time consuming function in Isso after each request. Do not use in
+# show 10 most time consuming function in Isso after each request. Do not use
-# production.
+# in production.
 profile = off
 
 
@@ -79,15 +87,16 @@ host = localhost
 # SMTP port
 port = 587
 
-# use a secure connection to the server, possible values: "none", "starttls"
+# use a secure connection to the server, possible values: none, starttls or
-# or "ssl". Python 2.X probably does not validate certificates (needs
+# ssl. Note, that Python does not validate the server's certificate and thus
-# research). But you should use a dedicated email account anyways.
+# the connection is vulnerable to Man-in-the-Middle attacks. Therefore, you
+# should definitely use a dedicated SMTP account for Isso.
 security = starttls
 
 # recipient address, e.g. your email address
 to =
 
-# sender address, e.g. isso@example.tld
+# ender address, e.g. "Foo Bar" <isso@example.tld>
 from =
 
 # specify a timeout in seconds for blocking operations like the
@@ -96,8 +105,8 @@ timeout = 10
 
 
 [guard]
-# Enable basic spam protection features, e.g. rate-limit per IP address (/24 for
+# Enable basic spam protection features, e.g. rate-limit per IP address (/24
-# IPv4, /48 for IPv6).
+# for IPv4, /48 for IPv6).
 
 # enable guard, recommended in production. Not useful for debugging purposes.
 enabled = true
@@ -105,13 +114,13 @@ enabled = true
 # limit to N new comments per minute.
 ratelimit = 2
 
-# how many comments directly to the thread (prevent a simple while true; do curl
+# how many comments directly to the thread (prevent a simple while true; do
-# ...; done.
+# curl ...; done.
 direct-reply = 3
 
-# allow commenters to reply to their own comments when they could still edit the
+# allow commenters to reply to their own comments when they could still edit
-# comment. After the editing timeframe is gone, commenters can reply to their
+# the comment. After the editing timeframe is gone, commenters can reply to
-# own comments anyways.  Do not forget to configure the client.
+# their own comments anyways. Do not forget to configure the client.
 reply-to-self = false
 
 
@@ -132,3 +141,23 @@ allowed-elements =
 # generated output, comma-separated. By default, only align and href are
 # allowed.
 allowed-attributes =
+
+
+[hash]
+# Customize used hash functions to hide the actual email addresses from
+# commenters but still be able to generate an identicon.
+
+
+# A salt is used to protect against rainbow tables. Isso does not make use of
+# pepper (yet). The default value has been in use since the release of Isso and
+# generates the same identicons for same addresses across installations.
+salt = Eech7co8Ohloopo9Ol6baimi
+
+# Hash algorithm to use -- either from Python's hashlib or PBKDF2 (a
+# computational expensive hash function).
+#
+# The actual identifier for PBKDF2 is pbkdf2:1000:6:sha1, which means 1000
+# iterations, 6 bytes to generate and SHA1 as pseudo-random family used for key
+# strengthening. Arguments have to be in that order, but can be reduced to
+# pbkdf2:4096 for example to override the iterations only.
+algorithm = pbkdf2