W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] Review

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 22 Jun 2009 11:30:55 -0700
Message-ID: <5691356f0906221130l708d8f68u64c8c32f74ce2186@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Wed, Jun 17, 2009 at 5:00 PM, Adam Barth<w3c@adambarth.com> wrote:
> On Wed, Jun 17, 2009 at 4:31 PM, Tyler Close<tyler.close@gmail.com> wrote:
>> 2009/6/17 Adam Barth <adam@adambarth.com>:
>>> I'd classify this as moderately difficult. It's not something I can do for $5, but given a few hundred dollars, I can probably do it. Recall that sending an HTTP request requires a full TCP handshake, so its not as easy as SYN flooding.
>>>
>>> Adam
>>
>> And also:
>>
>> http://en.wikipedia.org/wiki/IP_address_spoofing
>
> Wikipedia seems disagree with your point that IP-based authenication
> is inherently broken.  From that page:
>
> "IP spoofing can also be a method of attack used by network intruders
> to defeat network security measures, such as authentication based on
> IP addresses. This method of attack on a remote system can be
> extremely difficult, as it involves modifying thousands of packets at
> a time."

I haven't placed a value on the degree of 'broken'-ness of IP-based
authentication. Your claim of a few hundred dollars worth of security
is the strongest claim in this regard. I'm happy to accept that as the
level of security offered by IP-based authentication.

My aim here is simply to probe the use-case that has had the most
influence over the design of CORS. It appears to me that almost all
the complexity of CORS comes from its attempt to protect resources
that rely solely on IP-based authentication. Resources of this nature
seem like a rather peculiar case, so I'd like to take a closer look,
in the hope that we might find some other peculiar attribute of these
peculiar resources that could preserve their security, without
imposing costs on the rest of the Web, like pre-flight requests, new
kinds of caches and restrictions on headers.

> I'm not sure "extremely difficult" is the characterization I'd use,
> but the reality is that some number of services use IP-based
> authenication.  In some cases, it's a bad idea.  In other cases, like
> the ACM digital library, it works quite well.

So let's take a look at the ACM digital library case. Is there some
document that describes its use of IP-based authentication? Does the
resource use this protection to authenticate POST requests, or just
GET requests?

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Monday, 22 June 2009 18:31:35 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT