[SR-Users] people complain Kamailio not handling stale nonce correctly
jh at tutpro.com
Tue Jul 2 19:30:10 CEST 2019
Juha Heinanen writes:
> > Moreover, the latest recommendations in security is to disclose as less as
> > possible what was not "correct", avoiding responses like "invalid user id"
> > or "invalid password".
> I agree with that, but in case of expired nonce, the sender already has
> somehow figured out what the username is.
I think that in order to be able send a request with stale nonce, the
attacker must already have been able to capture the previous
request/response. If so, there is not much to loose by including the
More information about the sr-users