Gervase Markham wrote:
Ian G wrote:
Yup. Go through their logs, pull out all the URLs that
are cached there, and run them through the hash.
Er... if the URLs are available in plain text in their "logs" (I
presume you mean history), then there's no need for them to reverse
the hash. They can just look at where they've been.
Or have I missed something?
Your original comment was that they are not
reversable. That's a tricky assumption. Above
I gave a way in which they can be "reversed"
but perhaps it wasn't in the way you expected.
Now, you might thing that's quibbling, but in
security work we cannot afford to take text
book security statements and just apply them
as if they always hold true. Subtle things
matter, and the attacker has the ability to
change the rules.
(I'd have to go back to the original design
that you were discussing to see whether
the reversing I described results in a
weakness.)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
