<p>Changed the versionnumber on the homepage. A new homepage is sort of in the works...<br>
Cheers michael</p>
<div class="gmail_quote">Am 14.12.2011 15:15 schrieb "Smoes Orino" <<a href="mailto:smoesorino@googlemail.com">smoesorino@googlemail.com</a>>:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div><div>Hey Robin,</div><div><br></div><div>at the first look that is a fix that prevents people from exploiting the mentioned, but I think it opens a few new security questions, I dont know how relevant they are but:</div>
</div></div>
<div><ul><li>XSS attacks to obtain sessionID open the chance to brute force the password offline</li><li>A man in die middle attack is even worse, because one could get an exact timestamp</li></ul><div>Why not use md5(time().user.someRand())? That would raise the possible tokens to the rand intervall and lets say for a rand within 10^5 bruteforce attacks will be impossible.</div>
<div><br></div>
</div><div>Another important thing, to prevent bruteforcing in common, is to make a log-in penality. Lets say 10 sec penalty after 3 failed logins, server-side implemented. </div><div><br></div><div>Best wishes, </div><div>
Simon</div>
<br>_______________________________________________<br>
Owncloud mailing list<br>
<a href="mailto:Owncloud@kde.org">Owncloud@kde.org</a><br>
<a href="https://mail.kde.org/mailman/listinfo/owncloud" target="_blank">https://mail.kde.org/mailman/listinfo/owncloud</a><br>
<br></blockquote></div>