[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski lcamtuf at dione.cc
Tue Sep 30 10:36:56 PDT 2008


On Tue, 30 Sep 2008, Edward Z. Yang wrote:

>> More importantly, since the dictionary of possible inputs is rather
>> limited, it would be pretty trivial to build a dictionary of site <->
>> hash pairs and crack the values. May protect
>> xyzzy2984.eur.int.example.com, but would still reveal to me you are
>> coming from playboy.com.
>
> Salt it. Problem solved.

Not really? I just need to rebuild my dictionary for that salt, but to 
check against say a million or ten million of common domains, it wouldn't 
be very expensive. And it's not very expensive to build such a list of 
domains, too.

/mz



More information about the whatwg mailing list