2 Jul
2019
2 Jul
'19
5:30 p.m.
Juha Heinanen writes:
Moreover, the latest recommendations in security is to disclose as less as possible what was not "correct", avoiding responses like "invalid user id" or "invalid password".
I agree with that, but in case of expired nonce, the sender already has somehow figured out what the username is.
I think that in order to be able send a request with stale nonce, the attacker must already have been able to capture the previous request/response. If so, there is not much to loose by including the flag.
-- Juha