On 25.06.2018 13:40, Mark Rotteveel wrote:
On 25-6-2018 10:35, Alex Peshkoff via Firebird-devel wrote:
On 25.06.2018 10:47, Mark Rotteveel wrote:
On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote:
Because it's bad idea to open to client (specially not authenticated)
details of proble
On 25-6-2018 12:26, Dimitry Sibiryakov wrote:
25.06.2018 12:22, Alex Peshkoff via Firebird-devel wrote:
This attack does not depend on plugin name knowledge.
If one is using legacy plugin no need to try >8 chars passwords.
This is prevented by timeout after 3 unsuccessful logins. You ma
On 25-6-2018 10:35, Alex Peshkoff via Firebird-devel wrote:
On 25.06.2018 10:47, Mark Rotteveel wrote:
On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote:
Because it's bad idea to open to client (specially not authenticated)
details of problems with authentication.
I agree with that
25.06.2018 12:29, Tony Whyman wrote:
There is nothing theoretical about brute force attacks. They always work, the only issue
how long they take.
Look at my answer to Alex. This is topic about replacing error "shit happen" with
something useful for diagnostic.
--
WBR, SD.
-
On 25/06/18 11:17, Dimitry Sibiryakov wrote:
25.06.2018 11:29, Tony Whyman wrote:
Even if it were still computationally infeasible to break Srp today,
it is probably that in the next few years it will be totally broken.
You missed my words "non-theoretical".
There is nothing theoretical abo
25.06.2018 12:22, Alex Peshkoff via Firebird-devel wrote:
This attack does not depend on plugin name knowledge.
If one is using legacy plugin no need to try >8 chars passwords.
This is prevented by timeout after 3 unsuccessful logins. You may start completely
block account after that ins
Support auth_plugin_list dpb/spb item from application to client
Key: CORE-5860
URL: http://tracker.firebirdsql.org/browse/CORE-5860
Project: Firebird Core
Issue Type: Improvem
On 25-6-2018 10:32, Alex Peshkoff via Firebird-devel wrote:
On 25.06.2018 10:51, Mark Rotteveel wrote:
On 2018-06-24 20:51, Alex Peshkoff via Firebird-devel wrote:
Because it's as designed. What problems with it?
Having to construct the config string is awkward, especially when you
already h
On 25.06.2018 13:17, Dimitry Sibiryakov wrote:
25.06.2018 11:14, Alex Peshkoff via Firebird-devel wrote:
Bruteforce passwords over the wire. We are still missing any
passwords regulation (like min.length, UP/low letters, etc.) i.e.
people can use passwords like 'pass' and such things can be bru
25.06.2018 11:14, Alex Peshkoff via Firebird-devel wrote:
Bruteforce passwords over the wire. We are still missing any passwords regulation (like
min.length, UP/low letters, etc.) i.e. people can use passwords like 'pass' and such
things can be bruteforced.
This attack does not depend on plu
25.06.2018 11:29, Tony Whyman wrote:
Even if it were still computationally infeasible to break Srp today, it is probably that
in the next few years it will be totally broken.
You missed my words "non-theoretical".
--
WBR, SD.
--
On 25/06/18 10:14, Alex Peshkoff via Firebird-devel wrote:
On 25.06.2018 12:02, Dimitry Sibiryakov wrote:
25.06.2018 10:35, Alex Peshkoff via Firebird-devel wrote:
Afraid you are wrong here. It helps an attacker to detect what
plugin is actually used by server (for example - srp or srp256) an
On 25/06/18 10:02, Dimitry Sibiryakov wrote:
25.06.2018 10:35, Alex Peshkoff via Firebird-devel wrote:
Afraid you are wrong here. It helps an attacker to detect what plugin
is actually used by server (for example - srp or srp256) and use that
info to attack particular plugin later.
Does srp
On 25.06.2018 12:02, Dimitry Sibiryakov wrote:
25.06.2018 10:35, Alex Peshkoff via Firebird-devel wrote:
Afraid you are wrong here. It helps an attacker to detect what plugin
is actually used by server (for example - srp or srp256) and use that
info to attack particular plugin later.
Does s
25.06.2018 10:35, Alex Peshkoff via Firebird-devel wrote:
Afraid you are wrong here. It helps an attacker to detect what plugin is actually used by
server (for example - srp or srp256) and use that info to attack particular plugin later.
Does srp have non-theoretical vulnerability?
--
WBR
On 25.06.2018 10:47, Mark Rotteveel wrote:
On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote:
On 23.06.2018 17:06, Mark Rotteveel wrote:
Why is an authentication plugin mismatch (as in the list of plugins
between client and server have no overlap) not clearly communicated
to the clie
On 25.06.2018 10:51, Mark Rotteveel wrote:
On 2018-06-24 20:51, Alex Peshkoff via Firebird-devel wrote:
On 23.06.2018 19:05, Mark Rotteveel wrote:
When using the native fbclient, why can't I use
isc_dpb_auth_plugin_list/isc_spb_auth_plugin_list to pass the
authentication plugins to try, and wh
On 2018-06-24 20:51, Alex Peshkoff via Firebird-devel wrote:
On 23.06.2018 19:05, Mark Rotteveel wrote:
When using the native fbclient, why can't I use
isc_dpb_auth_plugin_list/isc_spb_auth_plugin_list to pass the
authentication plugins to try, and why do I need to use the
isc_dpb_config/isc_s
On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote:
On 23.06.2018 17:06, Mark Rotteveel wrote:
Why is an authentication plugin mismatch (as in the list of plugins
between client and server have no overlap) not clearly communicated to
the client?
For example if I have AuthServer = Srp
Adriano dos Santos Fernandes wrote Sun, 24 Jun 2018
21:09:21 +0300:
Not touching the algorithm AUTOTERM. This functionality would be useful.
Moreover, some IDEs for Firebird successfully solve this problem, for
example IB Expert. Although perhaps this is not cheap.
--
Simonov Denis
---
20 matches
Mail list logo