Changed the versionnumber on the homepage. A new homepage is sort of in the works... Cheers michael Am 14.12.2011 15:15 schrieb "Smoes Orino" <[email protected]>:
> Hey Robin, > > at the first look that is a fix that prevents people from exploiting the > mentioned, but I think it opens a few new security questions, I dont know > how relevant they are but: > > - XSS attacks to obtain sessionID open the chance to brute force the > password offline > - A man in die middle attack is even worse, because one could get an > exact timestamp > > Why not use md5(time().user.someRand())? That would raise the possible > tokens to the rand intervall and lets say for a rand within 10^5 bruteforce > attacks will be impossible. > > Another important thing, to prevent bruteforcing in common, is to make a > log-in penality. Lets say 10 sec penalty after 3 failed logins, server-side > implemented. > > Best wishes, > Simon > > _______________________________________________ > Owncloud mailing list > [email protected] > https://mail.kde.org/mailman/listinfo/owncloud > >
_______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
