On Tue, 30 Sep 2008, Edward Z. Yang wrote:
In that case, you are certainly correct; adding a salt only hinders an attacker. But if we're worried about Origin giving away a secret intranet website, I think things should be reasonable. Of course, they can still dictionary brute-force it...
I guess the concern is primarily over home users, as they seem to be particularly fond of referrer-blocking plugins and so forth - and if "Origin" becomes nearly as often blocked over rational or irrational fears, it would become much less useful.
Corporations with large intranets probably care less, and there might be better ways to help them if they do (from RFC1918 checks on browser end, to proxies or internal redirectors that remove internal addresses only).
/mz
