On Wednesday 28 November 2001 11:37 am, David Nolan wrote: > Neither of these ideas provides any true level of security to the system. > If a malicious user can sniff the traffic, or guess the ID strings, they > can forge events into the system.
Definitely sniffing is a possible vulnerability. As is DoS or brute force, although with any decent random ID generation scheme, brute force attacks would turn into more of a DoS attack than a forging attack. And as mon (or SMTP for that matter) is not designed with any DoS protections already, I could live with that. Some users would definitely see this sort of a scheme as not secure enough, others would be willing to live with the risks to get the convenience. On the other hand, WAP isn't in enough devices and well-supported enough to be cheap and widely available. And there are those that say WAP is dying and stinks anyway... I've never used it on client or server sides so I can't say. The most ubiquitously-accessible and secure wireless interface one could develop today would be something using VXML and an IVR-like system, where each user had their own PIN. Unless you're also paranoid about your digital cellphone and/or landline calls being snooped, in which case you probably wouldn't be using mon anyway :) Keep us updated, though, with what you come up with -- it sounds very interesting. andrew
