Hello Jason,
the idea is sound and we will take a closer look at it; the only fear
I have right now is that this new call could be used as an effective
way to perform a dictionary attack on our DB.
Right now, to perform a remote dictionary attack on Clipperz the
attacker needs to go through 3 full SRP connection procedures, each of
wich consists in three steps; so in order to verify if a given
username/passphrase is valid the attacker will have to pay 9 hashcash
tolls.
With the direct link, an attacker would be able to achieve the same
result immediately. At least with a naive implementation. We could
alleviate this problem always returning a well formed offline copy,
but with dummy data, so that the attacker will be forced to test the
credentials also on the downloaded file.
But this will definitely create some added cost on our server, and
could expose us to a very simple way to take our server down to its
knees.
Nice idea, but we need to work on it further to solve these issues.
Thanks for your suggestion.
Best regards,
Giulio Cesare