On Wednesday, May 25, 2005, at 02:49 PM, Graham wrote:
On 25 May 2005, at 9:01 pm, Antone Roundy wrote:
8.5 Denial of Service Attacks
Atom Processors should be aware of the potential for denial of
service attacks where the attacker publishes an atom:entry with the
atom:id value of an entry from another feed, and perhaps with a
falsified atom:source element duplicating the atom:id of the other
feed. Atom Processors which, for example, suppress display of
duplicate entries by displaying only one entry with a particular
atom:id value or combination of atom:id and atom:updated values,
might also take steps to determine whether the entries originated
from the same publisher before considering them to be duplicates.
How is this a "Denial of service" attack? Isn't it just ordinary
spoofing/impersonation?
Apart from that, +1.
I don't particularly care whether we call it a DOS or something else,
as long as we point it out and give implementers something to point to
if asked why they're not simply accepting atom:id at face value.
But is it not potentially a DOS? The Good Guy publishes an entry. The
Bad Guy copies the atom:id of that entry into an entry with different
content, gives it a later atom:updated, and publishes it. The
aggregator stops publishing/displaying the Good Guy's entry and instead
publishes/displays the Bad Guy's entry. Thus, the subscriber doesn't
see the Good Guy's entry (unless they saw it before it was replaced).
But you're also right--if they saw it before it was replaced and then,
when they see the "updated" version, they think it was updated by The
Good Guy, it becomes a spoof/impersonation. Perhaps we should say
"Denial of Service and Spoofing Attacks" and "...potential for denial
of service and spoofing attacks..."? How that's worded doesn't really
matter to me.
