Please forgive me for stepping in here, because of the recent list
volume I've only been able to partially pay attention to this
discussion, but I just wanted to make a quick observation..
Ignoring the overhead that it adds for now, isn't this the kind of
situation digital signatures are designed to handle? If I put out an
entry with a given ID and digitally sign it, and someone comes along and
attempts to publish an entry with a duplicate ID and updated timestamp
and it is NOT signed with the same key my original was signed with, then
hey, Houston we've got a problem. Without any kind of cryptographic
guarantee of this sort, the best you could do is make an educated
guess. Would it make sense to include some language along these lines?
Antone Roundy wrote:
On Wednesday, May 25, 2005, at 02:49 PM, Graham wrote:
On 25 May 2005, at 9:01 pm, Antone Roundy wrote:
8.5 Denial of Service Attacks
Atom Processors should be aware of the potential for denial of
service attacks where the attacker publishes an atom:entry with the
atom:id value of an entry from another feed, and perhaps with a
falsified atom:source element duplicating the atom:id of the other
feed. Atom Processors which, for example, suppress display of
duplicate entries by displaying only one entry with a particular
atom:id value or combination of atom:id and atom:updated values,
might also take steps to determine whether the entries originated
from the same publisher before considering them to be duplicates.
How is this a "Denial of service" attack? Isn't it just ordinary
spoofing/impersonation?
Apart from that, +1.
I don't particularly care whether we call it a DOS or something else,
as long as we point it out and give implementers something to point to
if asked why they're not simply accepting atom:id at face value.
But is it not potentially a DOS? The Good Guy publishes an entry.
The Bad Guy copies the atom:id of that entry into an entry with
different content, gives it a later atom:updated, and publishes it.
The aggregator stops publishing/displaying the Good Guy's entry and
instead publishes/displays the Bad Guy's entry. Thus, the subscriber
doesn't see the Good Guy's entry (unless they saw it before it was
replaced).
But you're also right--if they saw it before it was replaced and then,
when they see the "updated" version, they think it was updated by The
Good Guy, it becomes a spoof/impersonation. Perhaps we should say
"Denial of Service and Spoofing Attacks" and "...potential for denial
of service and spoofing attacks..."? How that's worded doesn't really
matter to me.
