Re: [cors] Review

On Wed, Jun 17, 2009 at 4:45 PM, Ian Hickson<ian@hixie.ch> wrote:
> That's news to me. As far as I can tell short of a man-in-the-middle
> attack it would take a phenomenal combination of a brute-force attack on
> the sequence numbers and a simultaneous DOS of the spoofee's network
> connection.
>
> In practice these systems exist, and IP spoofing HTTP traffic is, as Adam
> put it, at least "moderately difficult". What you describe would change it
> from "moderately difficult" to "trivial".

I don't know of any IP spoofing attacks that aren't public.  I
wouldn't trust the confientiality of my email to IP-based
authentication, but I would trust the confientiality of my grocery
list to it.

Adam

Received on Thursday, 18 June 2009 00:05:07 UTC