undefined | Better HN

0 pointsCPLX5y ago0 comments

Sure, but your rate limit would be for all conferences.

The idea being by separating the conference number and PIN number you could limit the ability to attack a specific user ID more easily.

0 comments

Dylan168075y ago

So we have to look at what "attacking a specific ID" even means.

With separate room numbers and PINs, it means you know the room number but not the PIN. Simple enough.

But in the long-id scenario, that means you have part of the ID, but not all of the ID. That's pretty unlikely to happen. Instead, situations where someone would have leaked the room number will take one of two routes: either the person leaks the longer ID, and there is no attacking necessary, or the person realizes that the secret code needs to be secret, and nothing is leaked at all. Either way, attacks on a specific conference ID no longer happen.

j / k navigate · click thread line to collapse

0 pointsCPLX5y ago0 comments

Sure, but your rate limit would be for all conferences.

The idea being by separating the conference number and PIN number you could limit the ability to attack a specific user ID more easily.

0 comments

Dylan168075y ago

So we have to look at what "attacking a specific ID" even means.

With separate room numbers and PINs, it means you know the room number but not the PIN. Simple enough.

j / k navigate · click thread line to collapse