- changed status to resolved
server session not protected against an online dictionary attack
Issue #3
resolved
A server could generate a session issuing a challenge B. An attacker could then keep on password guessing with the same A firing repeated M1. To protect against this the thinbus server object should refuse to run either step1 or step2 more than once. That forces an attacker to fetch a new challenge for every password guess at the expense of another round trip to the server.
Comments (1)
-
reporter - Log in to comment
resolved