TCP/IP is the protocol underneath HTTP, is not a web service protocol and requires a whole different method to manage and use connections. Think of it as the raw data pipe by which the HTTP protocol is used to communicate between a client program (i.e. a web broswer) and the server program (i.e. a web server). It can not be used in the way that I seem to think you are intending it to be used.
- h On Sun, Aug 9, 2009 at 17:30, Kyle Mulka <repalvigla...@yahoo.com> wrote: > > From Wikipedia: > "Some upper layer protocols provide their own defense against IP > spoofing. For example, Transmission Control Protocol (TCP) uses > sequence numbers negotiated with the remote machine to ensure that > arriving packets are part of an established connection. Since the > attacker normally can't see any reply packets, he has to guess the > sequence number in order to hijack the connection. The poor > implementation in many older operating systems and network devices, > however, means that TCP sequence numbers can be predicted." > > This seems to say that TCP could be used instead of HTTP 302s. Is > there something I'm missing for why 302s are necessary here? > > -- > Kyle Mulka > http://twilk.com > > On Aug 8, 10:45 pm, John Kalucki <jkalu...@gmail.com> wrote: > > In a simplified sense, the redirect nullifies a pernicious class of > > attack where the source IP address is forged. A redirect cannot be > > followed with a false source address. The attacks that remain are > > those where the source IP address is valid. You can then imagine other > > techniques that than can be applied against valid IP addresses. And so > > the problem is divided and ameliorated, but never fully solved. > > > > I'm going to push back for a second with some food for thought for > > developers: The API is via HTTP. HTTP is a well defined protocol. 302 > > redirects are a valid and well worn part of the HTTP protocol. > > Consider why applications are not built using fully HTTP compliant > > libraries. This doesn't address all the problems that we're all > > having, but it does address some. > > > > -John Kaluckihttp://twitter.com/jkalucki > > Services, Twitter Inc. > > > > On Aug 8, 8:53 am, Kyle Mulka <repalvigla...@yahoo.com> wrote: > > > > > An attacker can just as easily follow a 302 as can a legitimate API > > > developer or user of Twitter. I don't understand why Twitter thinks > > > this is a solution to the problem. Please stop 302ing. > > > > > Thanks, > > > > > -- > > > Kyle Mulkahttp://twilk.com >