1. I've been considering changing the secure tripcode algorithm from using MD5 to using RC4. This would mean:

   • Secure tripcodes would work on all installations. Currently they're limited to those hosts that have the MD5 module installed, which means most, but not all. I have my own RC4 code that runs everywhere.
   • Existing secure tripcodes would all change. But they're not widely used and they vary from site to site anyway.

   Is this a good or bad idea?

2. 100webspace just raised the bandwidth limit from 1GB to 3GB. What do I do with all this extra bandwidth? Currently the site is using somewhere around 700MB per month.

why not add an option in config.pl to choose between MD5 and RC4?

Well, ideally I'd like to remove the MD5 stuff from the source entirely, because I like to keep the code as lean as possible.

I could also make it use RC4 if it can't find MD5, if I went that way.

Using RC4 as the fallback seems the best way to me; it would be too confusing to suddenly switch around everyone's tripcodes, no matter how few people use them.

(I hope your RC4 is more secure than WEP is)

There are problems with the fallback method too. If you install the MD5 modules, then the algorithm would change... I am leaning towards replacing it with RC4 once and for all.

And yeah, it shouldn't be vulnerable to the same things WEP is. WEP uses RC4 pretty carelessly. RC4 is a quite secure algorithm, but some care has to be taken when using it.

...the justification for the switchover being that very few people use secure tripcodes at the moment. It's mostly just the admins of various servers, and they can fairly easily deal with it changing.