On Fri Mar 6 14:58:05 2009, Eric Rescorla wrote:
What do you mean rejects it? The attacker simulates a TCP-level
failure.
Alternately, he just stalls and waits for the client to give up if
he can't
brute-force the password in time.
Right, well, I think I've made myself look stupid enough for one day,
so I'll restrict myself to asking questions.
So, we have some potential problems with the use of anything that's
subject to an offline dictionary attack.
Have you got any figures on timescales for this, and computing power
required? I mean, is this something that anyone who hasn't upset the
NSA or GCHQ should be concerned about, or are we within reasonable
range of someone trying to phish credit card numbers?
Dave.
--
Dave Cridland - mailto:[email protected] - xmpp:[email protected]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
