Juha Heinanen writes: > > Moreover, the latest recommendations in security is to disclose as less as > > possible what was not "correct", avoiding responses like "invalid user id" > > or "invalid password". > > I agree with that, but in case of expired nonce, the sender already has > somehow figured out what the username is.
I think that in order to be able send a request with stale nonce, the attacker must already have been able to capture the previous request/response. If so, there is not much to loose by including the flag. -- Juha _______________________________________________ Kamailio (SER) - Users Mailing List [email protected] https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
