-Gel
-----Original Message-----
From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
It looks to me like there's a problem with web services, specifically
the ones
that allow logins. Basically, a username/password is sent to the service
and it
responds with data if the person is a valid user. What stops someone
from using
the web service again and again to test a un/pw until they get the right
one?
Maybe the answer is obvious and I don't see it.
checking amount of attempts per IP - ip can be forged
checking amount of attempts per UN - scheduled attempt or multiple UN
tries
hidden communications key in stream - can be 'seen' (combined with SSL
might
work)
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
