I think it should go on the client, and the hash is pretty much a space saving measure. There are three options, as far as I see it:
Assign random colors every time a page is rendered. This could get confusing on repeat visits, but it would come with the added perk of ensuring the impostor has a low chance of hitting the same color as the person they’re trying to impersonate every time.
Assign random colors and save them on the client. This would probably balloon without an LRU data structure, but it could work.
Use the hash. This basically generates random colors in a predictable way, implementing #2 without having to store anything.
Given that Lemmy does a lot of reloads on navigation I don’t think #1 would work well. The hash is a quick and easy way around the complexities of other implementations.
And yeah, in theory the server could store the client secret, making the colors consistent across all devices of a user, but it has to be non-public info. If it’s public, an impersonator could target a specific person and find a collision that fools them in particular.
I think it should go on the client, and the hash is pretty much a space saving measure. There are three options, as far as I see it:
Given that Lemmy does a lot of reloads on navigation I don’t think #1 would work well. The hash is a quick and easy way around the complexities of other implementations.
And yeah, in theory the server could store the client secret, making the colors consistent across all devices of a user, but it has to be non-public info. If it’s public, an impersonator could target a specific person and find a collision that fools them in particular.