[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Michal Zalewski
lcamtuf at dione.cc
Tue Sep 30 10:36:56 PDT 2008
On Tue, 30 Sep 2008, Edward Z. Yang wrote:
>> More importantly, since the dictionary of possible inputs is rather
>> limited, it would be pretty trivial to build a dictionary of site <->
>> hash pairs and crack the values. May protect
>> xyzzy2984.eur.int.example.com, but would still reveal to me you are
>> coming from playboy.com.
>
> Salt it. Problem solved.
Not really? I just need to rebuild my dictionary for that salt, but to
check against say a million or ten million of common domains, it wouldn't
be very expensive. And it's not very expensive to build such a list of
domains, too.
/mz
More information about the whatwg
mailing list