W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] Review

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 17 Jun 2009 17:00:28 -0700
Message-ID: <7789133a0906171700j4fb356c7m7349a7d680661b76@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Wed, Jun 17, 2009 at 4:31 PM, Tyler Close<tyler.close@gmail.com> wrote:
> 2009/6/17 Adam Barth <adam@adambarth.com>:
>> I'd classify this as moderately difficult. It's not something I can do for $5, but given a few hundred dollars, I can probably do it. Recall that sending an HTTP request requires a full TCP handshake, so its not as easy as SYN flooding.
>>
>> Adam
>
> And also:
>
> http://en.wikipedia.org/wiki/IP_address_spoofing

Wikipedia seems disagree with your point that IP-based authenication
is inherently broken.  From that page:

"IP spoofing can also be a method of attack used by network intruders
to defeat network security measures, such as authentication based on
IP addresses. This method of attack on a remote system can be
extremely difficult, as it involves modifying thousands of packets at
a time."

I'm not sure "extremely difficult" is the characterization I'd use,
but the reality is that some number of services use IP-based
authenication.  In some cases, it's a bad idea.  In other cases, like
the ACM digital library, it works quite well.

Adam
Received on Thursday, 18 June 2009 00:01:25 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT