- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 22 Jun 2009 11:30:55 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Wed, Jun 17, 2009 at 5:00 PM, Adam Barth<w3c@adambarth.com> wrote: > On Wed, Jun 17, 2009 at 4:31 PM, Tyler Close<tyler.close@gmail.com> wrote: >> 2009/6/17 Adam Barth <adam@adambarth.com>: >>> I'd classify this as moderately difficult. It's not something I can do for $5, but given a few hundred dollars, I can probably do it. Recall that sending an HTTP request requires a full TCP handshake, so its not as easy as SYN flooding. >>> >>> Adam >> >> And also: >> >> http://en.wikipedia.org/wiki/IP_address_spoofing > > Wikipedia seems disagree with your point that IP-based authenication > is inherently broken. From that page: > > "IP spoofing can also be a method of attack used by network intruders > to defeat network security measures, such as authentication based on > IP addresses. This method of attack on a remote system can be > extremely difficult, as it involves modifying thousands of packets at > a time." I haven't placed a value on the degree of 'broken'-ness of IP-based authentication. Your claim of a few hundred dollars worth of security is the strongest claim in this regard. I'm happy to accept that as the level of security offered by IP-based authentication. My aim here is simply to probe the use-case that has had the most influence over the design of CORS. It appears to me that almost all the complexity of CORS comes from its attempt to protect resources that rely solely on IP-based authentication. Resources of this nature seem like a rather peculiar case, so I'd like to take a closer look, in the hope that we might find some other peculiar attribute of these peculiar resources that could preserve their security, without imposing costs on the rest of the Web, like pre-flight requests, new kinds of caches and restrictions on headers. > I'm not sure "extremely difficult" is the characterization I'd use, > but the reality is that some number of services use IP-based > authenication. In some cases, it's a bad idea. In other cases, like > the ACM digital library, it works quite well. So let's take a look at the ACM digital library case. Is there some document that describes its use of IP-based authentication? Does the resource use this protection to authenticate POST requests, or just GET requests? --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Monday, 22 June 2009 18:31:35 UTC