W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] Review

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 17 Jun 2009 17:04:10 -0700
Message-ID: <7789133a0906171704n5048ec5cl6b3552edec4bbf87@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: Tyler Close <tyler.close@gmail.com>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Wed, Jun 17, 2009 at 4:45 PM, Ian Hickson<ian@hixie.ch> wrote:
> That's news to me. As far as I can tell short of a man-in-the-middle
> attack it would take a phenomenal combination of a brute-force attack on
> the sequence numbers and a simultaneous DOS of the spoofee's network
> connection.
>
> In practice these systems exist, and IP spoofing HTTP traffic is, as Adam
> put it, at least "moderately difficult". What you describe would change it
> from "moderately difficult" to "trivial".

I don't know of any IP spoofing attacks that aren't public.  I
wouldn't trust the confientiality of my email to IP-based
authentication, but I would trust the confientiality of my grocery
list to it.

Adam
Received on Thursday, 18 June 2009 00:05:07 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT