- From: Randy Nonay <randy.nonay@net-linx.com>
- Date: Mon, 18 Aug 2003 11:38:26 -0600
- CC: "www-svg@w3.org" <www-svg@w3.org>
Hi,
This argument smacks of using logic in the form of "everything else is flawed, so
why should we bother to fix the error?".
If you walked upto a bridge and saw 50 people jumping off, to certain death, would
you jump too??
The logic that allowing SVG to open up the same issues as Outlook, and not being
concerned about it makes it seem that the proper answer to the above question would
be "yes". I have to disagree...
And "user training" to prevent the spread of a virus? Just take a look around at
how effective it has been in stopping all those worms that _require_ the user to
execute them to become infected... This is simply not a realistic solution. The
solution _must_ be in the form of making such an attack impossible through SVG,
rather than counting on the intelligence/wisdom of users.
Randy Nonay
Robin Berjon wrote:
> Bernhard Zwischenbrugger wrote:
> >>If you only support XML protocols, you can't do interesting stuff like SNMP,
> >>IMAP, IRC, HTTP+DAV, FTP, SMTP, etc. The Web is larger than XML. The Net is
> >
> > If it is possible to make network connections to other servers then
> > the server the SVG is loaded from it can be a security problem.
>
> The security issue here is that you can connect to stuff protected behind a
> firewall. If you request user acceptance, then it's pretty much an education
> problem.
>
> > It would be possible to make a 1x1pixel SVG Graphic that connects 50 times
> > per second to a server.
>
> Only with the user accepting it. It's not like that makes a big difference,
> something along the line of:
>
> perl -MHTTP::GHTTP -e 'get("http://foo.com/") and print "." while 1'
>
> will do the trick very well. I've used it to skew the results of online polls a
> few times ;)
>
> > If you don't restrict the network connection this could become a real problem
> > for servers from yahoo, amazon, microsoft,...
> > It would be easy to overload all the servers somebody don't like.
>
> The users would have to accept the connection. This means they'll be wanting to
> take part in the DDoS attack you describe. And if that's what they want, then
> they could use much more powerful tools. SVG wouldn't introduce any new issue.
>
> Besides, I remember that when Microsoft released the version of IE that
> implemented favicon, a *lot* of web server admins that ran sites in the
> multi-million hits per day range that were angry with their error logs suddenly
> piling up massive amounts of 404s (occasionally triggering pagers in the middle
> of the night) made their servers redirect requests for favicon.ico to
> http://microsoft.com/PleaseFixYourBloodyBrokenBrowser/. That certainly resulted
> in a massive amount of extra requests being sent there, with no discernible
> effect on MS's site.
>
> Also, note that the behaviour you describe (making hidden parts of a web page
> make as many requests as possible to a remote server to create a DDoS) can be
> done in many browsers just by changing the location.href of a 1x1px image or
> iframe. Again, SVG would introduce nothing new here.
>
> > If the network connection is restricted you can write server based applications
> > that do all this network protocols and communicate over an XML protocol with
> > the client.
>
> Yes, but that's much less useful.
>
> --
> Robin Berjon <robin.berjon@expway.fr>
> Research Engineer, Expway http://expway.fr/
> 7FC0 6F5F D864 EFB8 08CE 8E74 58E6 D5DB 4889 2488
Received on Monday, 18 August 2003 13:38:24 UTC