Hi All, I have a Secure Remote Password (SRP) implementation that went through a pen test. The testers provided a critical finding - the email address was sent in the plaintext. Noe that plaintext email addresses are part of the protocol.
I'm not really convinced that using an email address in the plaintext for the SRP protocol is finding-worthy, considering email addresses are public information. And I'm very skeptical that its a critical finding. With that said, what are the options here? I was thinking a simple mask function, which would remove the "plaintext-ness" (but not add any security to the system). Heuristically, masking the email address is *not* less secure than sending the email in the plaintext. Any ideas? Jeff _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography