- From: Mark Watson <watsonm@netflix.com>
- Date: Thu, 23 Aug 2012 17:44:42 +0000
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- Cc: "<whatwg@lists.whatwg.org>" <whatwg@lists.whatwg.org>, "Tab Atkins Jr." <jackalmage@gmail.com>, Jonas Sicking <jonas@sicking.cc>
Hi Boris, On Aug 22, 2012, at 5:14 PM, Boris Zbarsky wrote: > On 8/22/12 4:53 PM, Mark Watson wrote: >> Also, we've considered "heartbeat" type solutions, which whilst better than nothing are vulnerable to an attack in which the heartbeat messages are blocked. > > I'd like to understand this better. Would such an attack not also work on XHR? It would, but the effect would be different. Blocked heartbeats would cause the server to think that streaming had stopped, when in fact it was continuing. The service underestimates how much streaming there is. Blocked 'stop' messages would cause the server to think that streaming was continuing, when in fact it had stopped. The service overestimates how much streaming there is. It so happens that for our business model, underestimating is much worse than overestimating. For a different business model, it might be the opposite. …Mark > > (I realize there are other issues with a heartbeat ping; just wanted to make sure I understand this particular issue properly.) > > -Boris >
Received on Thursday, 23 August 2012 17:45:13 UTC