- From: Michal Zalewski <lcamtuf@dione.cc>
- Date: Tue, 30 Sep 2008 19:57:42 +0200 (CEST)
On Tue, 30 Sep 2008, Edward Z. Yang wrote: > In that case, you are certainly correct; adding a salt only hinders an > attacker. But if we're worried about Origin giving away a secret > intranet website, I think things should be reasonable. Of course, they > can still dictionary brute-force it... I guess the concern is primarily over home users, as they seem to be particularly fond of referrer-blocking plugins and so forth - and if "Origin" becomes nearly as often blocked over rational or irrational fears, it would become much less useful. Corporations with large intranets probably care less, and there might be better ways to help them if they do (from RFC1918 checks on browser end, to proxies or internal redirectors that remove internal addresses only). /mz
Received on Tuesday, 30 September 2008 10:57:42 UTC