[Foundation] Last Minute JEP 78 Concerns
Chris Mullins
cmullins at winfessor.com
Thu May 22 14:54:25 CDT 2003
I implemented JEP 78 last night, and while doing so found an area that
concerns me.
The sending of the User Name during the Auth "discovery" process, and
the resulting "User does not exist" error code, seems to invite a brute
force attack aimed at enumerating the users on the server.
IP Based Karma can eliminate some of this (but a large scale distributed
attack would still work), but to have this JEP be secure then requires
that Karma be implemented on the server, which introduces yet another
dependence.
Is this something worth fixing before anyone else implements the JEP?
--
Chris Mullins
More information about the Members
mailing list