- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 17 Jun 2009 17:00:28 -0700
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Wed, Jun 17, 2009 at 4:31 PM, Tyler Close<tyler.close@gmail.com> wrote: > 2009/6/17 Adam Barth <adam@adambarth.com>: >> I'd classify this as moderately difficult. It's not something I can do for $5, but given a few hundred dollars, I can probably do it. Recall that sending an HTTP request requires a full TCP handshake, so its not as easy as SYN flooding. >> >> Adam > > And also: > > http://en.wikipedia.org/wiki/IP_address_spoofing Wikipedia seems disagree with your point that IP-based authenication is inherently broken. From that page: "IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time." I'm not sure "extremely difficult" is the characterization I'd use, but the reality is that some number of services use IP-based authenication. In some cases, it's a bad idea. In other cases, like the ACM digital library, it works quite well. Adam
Received on Thursday, 18 June 2009 00:01:25 UTC