Quote:
Originally Posted by rryles
There are several big issues for Phorm to solve and no easy solutions. I don't see the point in debating which is the biggest.
|
A debate wasn't my intention, I was simply putting it in perspective -- exactly as you did with your opening sentence.
Quote:
|
The ironic thing is that in trying to design a system that mitigates the problem of UIDs leaking, you give yourself the problem of handling more PII (The IP address).
|
I'm not trying to design their system for them, far from it. However if they insist on going ahead with this farce the least they can do is attempt to avoid leaking the uid.
Quote:
|
I think it does matter. How do you lock the uid to an IP address then allow the IP address to be dynamic?
|
The uid is a key to a database containing profile data, we're only talking about leakage due to phorged cookies under 3rd party domains. If a cookie is invalid, they simply overwrite it by spoofing a valid one.
Quote:
|
When you reference 'security by obscurity' I hope you understand how bad a reputation this approach has!?
|
Err yeah -- even although that's exactly what strong passphrases etc... are
