canmove, Confirmed users
1,537
edits
Privacy/Reviews/BrowserID.org: Difference between revisions
Privacy/Reviews/BrowserID.org (view source)
Revision as of 18:12, 19 December 2011
, 19 December 2011→User Data Risk Minimization
| Line 347: | Line 347: | ||
''In this section, the privacy champion will identify areas of user data risk and recommendations for minimizing the risk.'' | ''In this section, the privacy champion will identify areas of user data risk and recommendations for minimizing the risk.'' | ||
== User Enumeration == | |||
''The Risk'' is that a malicious user with a list of email addresses can query the service to enumerate which of the listed email addresses are enrolled in BrowserID. Users may not want it world-known that they use this service to authenticate. | |||
''Recommendation:'' Rate Limit requests to the API so that a malicious user can't quickly brute-force check for which email addresses are enrolled. | |||
{{ResolutionBox|{{new|}}}} | |||
= Alignment with Privacy Operating Principles = | = Alignment with Privacy Operating Principles = | ||