[SR-Users] people complain Kamailio not handling stale nonce correctly

[Juha Heinanen]

Juha Heinanen writes:

> > Moreover, the latest recommendations in security is to disclose as less as
> > possible what was not "correct", avoiding responses like "invalid user id"
> > or "invalid password".
> 
> I agree with that, but in case of expired nonce, the sender already has
> somehow figured out what the username is.

I think that in order to be able send a request with stale nonce, the
attacker must already have been able to capture the previous
request/response.  If so, there is not much to loose by including the
flag.

-- Juha