[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Edward Z. Yang
edwardzyang at thewritingpot.com
Tue Sep 30 10:35:13 PDT 2008
Michal Zalewski wrote:
> Not really? I just need to rebuild my dictionary for that salt, but to
> check against say a million or ten million of common domains, it
> wouldn't be very expensive. And it's not very expensive to build such a
> list of domains, too.
In that case, you are certainly correct; adding a salt only hinders an
attacker. But if we're worried about Origin giving away a secret
intranet website, I think things should be reasonable. Of course, they
can still dictionary brute-force it...
(whoops, forgot to CC list)
More information about the whatwg
mailing list