On Tue, 30 Sep 2008, Edward Z. Yang wrote:
More importantly, since the dictionary of possible inputs is rather
limited, it would be pretty trivial to build a dictionary of site <->
hash pairs and crack the values. May protect
xyzzy2984.eur.int.example.com, but would still reveal to me you are
coming from playboy.com.
Salt it. Problem solved.
Not really? I just need to rebuild my dictionary for that salt, but to
check against say a million or ten million of common domains, it wouldn't
be very expensive. And it's not very expensive to build such a list of
domains, too.
/mz
