[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Edward Z. Yang edwardzyang at thewritingpot.com
Tue Sep 30 10:35:13 PDT 2008

Michal Zalewski wrote:
> Not really? I just need to rebuild my dictionary for that salt, but to
> check against say a million or ten million of common domains, it
> wouldn't be very expensive. And it's not very expensive to build such a
> list of domains, too.

In that case, you are certainly correct; adding a salt only hinders an
attacker. But if we're worried about Origin giving away a secret
intranet website, I think things should be reasonable. Of course, they
can still dictionary brute-force it...

(whoops, forgot to CC list)

More information about the whatwg mailing list