Re: [www-svg] network from Robin Berjon on 2003-08-18 (www-svg@w3.org from August 2003)

From: Robin Berjon <robin.berjon@expway.fr>
Date: Mon, 18 Aug 2003 19:19:51 +0200
To: Bernhard Zwischenbrugger <bz@datenkueche.com>
Cc: "www-svg@w3.org" <www-svg@w3.org>
Message-ID: <3F410AB7.9000607@expway.fr>

Bernhard Zwischenbrugger wrote:
>>If you only support XML protocols, you can't do interesting stuff like SNMP,
>>IMAP, IRC, HTTP+DAV, FTP, SMTP, etc. The Web is larger than XML. The Net is
> 
> If it is possible to make network connections to other servers then
> the server the SVG is loaded from it can be a security problem.

The security issue here is that you can connect to stuff protected behind a 
firewall. If you request user acceptance, then it's pretty much an education 
problem.

> It would be possible to make a 1x1pixel SVG Graphic that connects 50 times
> per second to a server.

Only with the user accepting it. It's not like that makes a big difference, 
something along the line of:

   perl -MHTTP::GHTTP -e 'get("http://foo.com/") and print "." while 1'

will do the trick very well. I've used it to skew the results of online polls a 
few times ;)

> If you don't restrict the network connection this could become a real problem  
> for servers from yahoo, amazon, microsoft,...
> It would be easy to overload all the servers somebody don't like.

The users would have to accept the connection. This means they'll be wanting to 
take part in the DDoS attack you describe. And if that's what they want, then 
they could use much more powerful tools. SVG wouldn't introduce any new issue.

Besides, I remember that when Microsoft released the version of IE that 
implemented favicon, a *lot* of web server admins that ran sites in the 
multi-million hits per day range that were angry with their error logs suddenly 
piling up massive amounts of 404s (occasionally triggering pagers in the middle 
of the night) made their servers redirect requests for favicon.ico to 
http://microsoft.com/PleaseFixYourBloodyBrokenBrowser/. That certainly resulted 
in a massive amount of extra requests being sent there, with no discernible 
effect on MS's site.

Also, note that the behaviour you describe (making hidden parts of a web page 
make as many requests as possible to a remote server to create a DDoS) can be 
done in many browsers just by changing the location.href of a 1x1px image or 
iframe. Again, SVG would introduce nothing new here.

> If the network connection is restricted you can write server based applications 
> that do all this network protocols and communicate over an XML protocol with 
> the client.

Yes, but that's much less useful.

-- 
Robin Berjon <robin.berjon@expway.fr>
Research Engineer, Expway        http://expway.fr/
7FC0 6F5F D864 EFB8 08CE  8E74 58E6 D5DB 4889 2488

Received on Monday, 18 August 2003 13:19:58 UTC