On Sun, Jan 17, 2010 at 9:08 PM, Dan Kaminsky <d...@doxpara.com> wrote:
> And a computer that isn't at the bottom of the Mariana Trench ain't secure. > > Unguessable tokens have a long history of use in our field (CSRF tokens, > etc) and having one lock access to an image is relatively legitimate. If > there was a way to guess the token, we'd say there was an issue. > I think the difference is how long you expect that token to be kept. The link given, afaict, is a permanent one, unlike csrf tokens or various change password tokens. Cheers, Imri -- Imri Goldberg -------------------------------------- http://plnnr.com/ - automatic trip planning http://www.algorithm.co.il/blogs/ -------------------------------------- -- insert signature here ----
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
