A forged source IP address is a good reason for doing 302s. Thanks for
the explanation. Now... if only OAuth worked...

--
Kyle Mulka
http://twilk.com

On Aug 8, 10:45 pm, John Kalucki <jkalu...@gmail.com> wrote:
> In a simplified sense, the redirect nullifies a pernicious class of
> attack where the source IP address is forged. A redirect cannot be
> followed with a false source address. The attacks that remain are
> those where the source IP address is valid. You can then imagine other
> techniques that than can be applied against valid IP addresses. And so
> the problem is divided and ameliorated, but never fully solved.
>
> I'm going to push back for a second with some food for thought for
> developers: The API is via HTTP. HTTP is a well defined protocol. 302
> redirects are a valid and well worn part of the HTTP protocol.
> Consider why applications are not built using fully HTTP compliant
> libraries. This doesn't address all the problems that we're all
> having, but it does address some.
>
> -John Kaluckihttp://twitter.com/jkalucki
> Services, Twitter Inc.
>
> On Aug 8, 8:53 am, Kyle Mulka <repalvigla...@yahoo.com> wrote:
>
> > An attacker can just as easily follow a 302 as can a legitimate API
> > developer or user of Twitter. I don't understand why Twitter thinks
> > this is a solution to the problem. Please stop 302ing.
>
> > Thanks,
>
> > --
> > Kyle Mulkahttp://twilk.com

Reply via email to