19.03.2009, Χ 2:48, Jonas Sicking ΞΑΠΙΣΑΜ(Α): > It can, though potentially not as reliably. And it's also something > we'd like to fix. In other words, port-scanning of intranets isn't > something I'd like to build into the standard. Especially when > protection for it comes at a relatively low cost. Low enough that it's > very doubtful authors will ever notice this. Fair enough. This brings another problem, though: scripts can POST large requests and measure how long it takes. This is quite reliable, too, so forbidding explicit progress events while keeping POST on simple method list doesn't buy much security. In fact, it seems very likely that even timing of preflight requests makes port scans possible, but I don't have any data to support this theory. - WBR, Alexey ProskuryakovReceived on Thursday, 19 March 2009 07:06:57 GMT
This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT