On 2012-10-19 11:47 AM, Nico Williams wrote:
Lack of client ID privacy protection can lead to some attacks such as password guesses based on the ID or knowledge of the person that ID is for. If you were working for a spy agency (say), you'd definitely want priv. prot. for the client ID!
If the attacker knows the email address, can identify the user - who is very likely using the same password for his porn account, etc. Attacker intercepts porn account using firesheep, and ... he is in.
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
