W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2008

[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

From: Michal Zalewski <lcamtuf@dione.cc>
Date: Tue, 30 Sep 2008 19:36:56 +0200 (CEST)
Message-ID: <Pine.LNX.4.64.0809301935040.10659@dione.cc>
On Tue, 30 Sep 2008, Edward Z. Yang wrote:

>> More importantly, since the dictionary of possible inputs is rather
>> limited, it would be pretty trivial to build a dictionary of site <->
>> hash pairs and crack the values. May protect
>> xyzzy2984.eur.int.example.com, but would still reveal to me you are
>> coming from playboy.com.
>
> Salt it. Problem solved.

Not really? I just need to rebuild my dictionary for that salt, but to 
check against say a million or ten million of common domains, it wouldn't 
be very expensive. And it's not very expensive to build such a list of 
domains, too.

/mz
Received on Tuesday, 30 September 2008 10:36:56 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:05 UTC