Interesting People mailing list archives
Re: ] Internet security flaw exposes private data
From: Dave Farber <dfarber () me com>
Date: Sat, 16 Jan 2010 14:57:22 -0500
From: "Dave CROCKER" <dcrocker () bbiw net> To: <dave () farber net> Cc: "ip" <ip () v2 listbox com>, "Peter Capek" <capek () ieee org>, "Kevin T. Neely" <ktneely () astroturfgarden com>, "Charley Kline" <csk () mail com> Date: January 16, 2010 02:13:47 PM EST Subject: Re: [IP] Internet security flaw exposes private data Based on the limited information in the article, yes, this does smack of an error in NAT-related mapping code that mis-aligns connections between clients and servers (or, at least, a Facebook server.) Although the article said "misdirected cookie" it makes more sense that the entire session would be mis-direction. IP, TCP do not have special knowledge that distinguishes cookie payload from other payload and the idea that HTTP code would specially mishandle cookies, at the network side, would be rather strange. All of which highlights a point that was learned in the earliest days of the Arpanet: Limit how much you rely on the correctness of the underlying network infrastructure. TCP's checksum is an example of that design implication, limiting its trust of the underlying network's reliability. Another example was that the underlying Arpanet could misdirect a connection from a host, back to itself. One effect was that the meant that the mail you sent could be delivered right back to you: The email code had no way of knowing, on its own, who it had connected to. It trusted the network. This prompted a revision so that an email server now announces its own domain name, so the client can verify that it got to the right place. These are concrete examples heeding the end-to-end argument. <http://web.mit.edu/Saltzer/www/publications/endtoend/endtoend.pdf> Similarly, Web cookies need to define their context sufficiently. the Name of their associated account (or other context declaration) needs to be embedded in the cookie, in case of re-directed delivery. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Re: ] Internet security flaw exposes private data Dave Farber (Jan 16)