> Often, a server sending a 403 might not even have *checked* the > credentials. "I don't care if you are who you claim to be; the person you > claim to be isn't allowed to do that."
That's just dumb security. If I was a cracker, I'd make the request with a whole slew of different IDs. I know that I don't need to crack the credentials of anyone who gets a 403, because they wouldn't be authorized even if I did crack the credentials. I know that it's worthwhile to crack the credentials of anyone who gets something besides a 403. > (Or, "no one is allowed to do that.") Not quite as bad, but still not good. If I'm not allowed to do that, I shouldn't get information about whether or not anyone else can either. - Rhys __________________________________ Rhys Ulerich Telecommunications Solutions Software Development Email: [EMAIL PROTECTED] Office: 512-838-1428 IBM Software Group - Austin, TX _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
