[cryptography] Secure Remote Password (SRP) and Plaintext Emil Address

James A. Donald jamesd at echeque.com
Fri Oct 19 02:45:04 EDT 2012


On 2012-10-19 11:47 AM, Nico Williams wrote:
> Lack of client ID privacy protection can lead to some attacks such as
> password guesses based on the ID or knowledge of the person that ID is
> for.  If you were working for a spy agency (say), you'd definitely
> want priv. prot. for the client ID!

If the attacker knows the email address, can identify the user - who is 
very likely using the same password for his porn account, etc. Attacker 
intercepts porn account using firesheep, and ... he is in.





More information about the cryptography mailing list