On Tue, 2003-07-08 at 11:00, Nigel Metheringham wrote: > One thing that could be considered to protect ourselves against such > attacks if there was a way of reducing the complexity to reasonable > levels, would be to drop pending subscription requests after a couple > (think of an appropriate number) of failed cookie cracking attempts. > That of course transforms this into a denial of service attack :-(
Oh whoops, I just realized that if you get the cookie wrong, you have no idea which subscription request they intended to confirm. sha has 160 bits of data in it and if you're off by one, you don't get a hit and we error out. But there's no way to match the sha hexdigest that you got in the confirmation attempt with one in the database of pending subscription requests. -Barry _______________________________________________ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-developers
