On Feb 19, 2014, at 1:32 PM, Toby Elliott <telli...@mozilla.com> wrote:
> > On Feb 19, 2014, at 1:26 PM, Richard Newman <rnew...@mozilla.com> wrote: > >>> We will not fail because TLS-level attackers replay users' requests. We are >>> much more likely to fail by not being able to manage self-induced >>> complexity and repelling users with frustrating experiences resulting from >>> that complexity. >> >> +eleventy. > > > Indeed. While we're theoretically a little more of a target than current sync > (since the password stretching *might* lead to weaker crypto), we're still > miles away from being a valuable target. A little flexibility in service of > making the users happier is good. > And if FxA Sync comes tumbling down due to attacker compromise, it's not going to be because of weakened Hawk replay protection. :) But in general, we do need to be wary of walking that fine line of security and complexity tradeoffs, though. -chris > Toby _______________________________________________ Sync-dev mailing list Sync-dev@mozilla.org https://mail.mozilla.org/listinfo/sync-dev
