- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 17 Jun 2009 17:04:10 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: Tyler Close <tyler.close@gmail.com>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Wed, Jun 17, 2009 at 4:45 PM, Ian Hickson<ian@hixie.ch> wrote: > That's news to me. As far as I can tell short of a man-in-the-middle > attack it would take a phenomenal combination of a brute-force attack on > the sequence numbers and a simultaneous DOS of the spoofee's network > connection. > > In practice these systems exist, and IP spoofing HTTP traffic is, as Adam > put it, at least "moderately difficult". What you describe would change it > from "moderately difficult" to "trivial". I don't know of any IP spoofing attacks that aren't public. I wouldn't trust the confientiality of my email to IP-based authentication, but I would trust the confientiality of my grocery list to it. Adam
Received on Thursday, 18 June 2009 00:05:07 UTC