[Foundation] Last Minute JEP 78 Concerns

Chris Mullins cmullins at winfessor.com
Thu May 22 14:54:25 CDT 2003


I implemented JEP 78 last night, and while doing so found an area that
concerns me.

The sending of the User Name during the Auth "discovery" process, and
the resulting "User does not exist" error code, seems to invite a brute
force attack aimed at enumerating the users on the server.

IP Based Karma can eliminate some of this (but a large scale distributed
attack would still work), but to have this JEP be secure then requires
that Karma be implemented on the server, which introduces yet another
dependence. 

Is this something worth fixing before anyone else implements the JEP? 

-- 
Chris Mullins




More information about the Members mailing list