On 25.06.2018 13:40, Mark Rotteveel wrote:
On 25-6-2018 10:35, Alex Peshkoff via Firebird-devel wrote:
On 25.06.2018 10:47, Mark Rotteveel wrote:
On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote:
Because it's bad idea to open to client (specially not authenticated)
details of proble
On 25-6-2018 12:26, Dimitry Sibiryakov wrote:
25.06.2018 12:22, Alex Peshkoff via Firebird-devel wrote:
This attack does not depend on plugin name knowledge.
If one is using legacy plugin no need to try >8 chars passwords.
This is prevented by timeout after 3 unsuccessful logins. You ma
On 25-6-2018 10:35, Alex Peshkoff via Firebird-devel wrote:
On 25.06.2018 10:47, Mark Rotteveel wrote:
On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote:
Because it's bad idea to open to client (specially not authenticated)
details of problems with authentication.
I agree with that
25.06.2018 12:29, Tony Whyman wrote:
There is nothing theoretical about brute force attacks. They always work, the only issue
how long they take.
Look at my answer to Alex. This is topic about replacing error "shit happen" with
something useful for diagnostic.
--
WBR, SD.
-
On 25/06/18 11:17, Dimitry Sibiryakov wrote:
25.06.2018 11:29, Tony Whyman wrote:
Even if it were still computationally infeasible to break Srp today,
it is probably that in the next few years it will be totally broken.
You missed my words "non-theoretical".
There is nothing theoretical abo
25.06.2018 12:22, Alex Peshkoff via Firebird-devel wrote:
This attack does not depend on plugin name knowledge.
If one is using legacy plugin no need to try >8 chars passwords.
This is prevented by timeout after 3 unsuccessful logins. You may start completely
block account after that ins
On 25.06.2018 13:17, Dimitry Sibiryakov wrote:
25.06.2018 11:14, Alex Peshkoff via Firebird-devel wrote:
Bruteforce passwords over the wire. We are still missing any
passwords regulation (like min.length, UP/low letters, etc.) i.e.
people can use passwords like 'pass' and such things can be bru
25.06.2018 11:14, Alex Peshkoff via Firebird-devel wrote:
Bruteforce passwords over the wire. We are still missing any passwords regulation (like
min.length, UP/low letters, etc.) i.e. people can use passwords like 'pass' and such
things can be bruteforced.
This attack does not depend on plu
25.06.2018 11:29, Tony Whyman wrote:
Even if it were still computationally infeasible to break Srp today, it is probably that
in the next few years it will be totally broken.
You missed my words "non-theoretical".
--
WBR, SD.
--
On 25/06/18 10:14, Alex Peshkoff via Firebird-devel wrote:
On 25.06.2018 12:02, Dimitry Sibiryakov wrote:
25.06.2018 10:35, Alex Peshkoff via Firebird-devel wrote:
Afraid you are wrong here. It helps an attacker to detect what
plugin is actually used by server (for example - srp or srp256) an
On 25/06/18 10:02, Dimitry Sibiryakov wrote:
25.06.2018 10:35, Alex Peshkoff via Firebird-devel wrote:
Afraid you are wrong here. It helps an attacker to detect what plugin
is actually used by server (for example - srp or srp256) and use that
info to attack particular plugin later.
Does srp
On 25.06.2018 12:02, Dimitry Sibiryakov wrote:
25.06.2018 10:35, Alex Peshkoff via Firebird-devel wrote:
Afraid you are wrong here. It helps an attacker to detect what plugin
is actually used by server (for example - srp or srp256) and use that
info to attack particular plugin later.
Does s
25.06.2018 10:35, Alex Peshkoff via Firebird-devel wrote:
Afraid you are wrong here. It helps an attacker to detect what plugin is actually used by
server (for example - srp or srp256) and use that info to attack particular plugin later.
Does srp have non-theoretical vulnerability?
--
WBR
On 25.06.2018 10:47, Mark Rotteveel wrote:
On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote:
On 23.06.2018 17:06, Mark Rotteveel wrote:
Why is an authentication plugin mismatch (as in the list of plugins
between client and server have no overlap) not clearly communicated
to the clie
On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote:
On 23.06.2018 17:06, Mark Rotteveel wrote:
Why is an authentication plugin mismatch (as in the list of plugins
between client and server have no overlap) not clearly communicated to
the client?
For example if I have AuthServer = Srp
On 23.06.2018 17:06, Mark Rotteveel wrote:
Why is an authentication plugin mismatch (as in the list of plugins
between client and server have no overlap) not clearly communicated to
the client?
For example if I have AuthServer = Srp256,Srp,Legacy_Auth and the
client only tries Srp224, then th
Why is an authentication plugin mismatch (as in the list of plugins
between client and server have no overlap) not clearly communicated to
the client?
For example if I have AuthServer = Srp256,Srp,Legacy_Auth and the client
only tries Srp224, then the error returned to the client is
Error oc
17 matches
Mail list logo
