On Sun, Jan 17, 2010 at 7:45 PM, Imri Goldberg <[email protected]> wrote:
> > > On Sun, Jan 17, 2010 at 5:02 PM, Larry Seltzer <[email protected]>wrote: > >> The URL may not be obvious, but it’s on a publically-accessible site so >> it’s at least a little cheesy to call it private. >> >> What do you think? >> > If it's publicly available, it ain't private. > > And a computer that isn't at the bottom of the Mariana Trench ain't secure. Unguessable tokens have a long history of use in our field (CSRF tokens, etc) and having one lock access to an image is relatively legitimate. If there was a way to guess the token, we'd say there was an issue.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
