TCP/IP is the protocol underneath HTTP, is not a web service protocol and
requires a whole different method to manage and use connections.  Think of
it as the raw data pipe by which the HTTP protocol is used to communicate
between a client program (i.e. a web broswer) and the server program (i.e. a
web server).  It can not be used in the way that I seem to think you are
intending it to be used.

- h

On Sun, Aug 9, 2009 at 17:30, Kyle Mulka <> wrote:

> From Wikipedia:
> "Some upper layer protocols provide their own defense against IP
> spoofing. For example, Transmission Control Protocol (TCP) uses
> sequence numbers negotiated with the remote machine to ensure that
> arriving packets are part of an established connection. Since the
> attacker normally can't see any reply packets, he has to guess the
> sequence number in order to hijack the connection. The poor
> implementation in many older operating systems and network devices,
> however, means that TCP sequence numbers can be predicted."
> This seems to say that TCP could be used instead of HTTP 302s. Is
> there something I'm missing for why 302s are necessary here?
> --
> Kyle Mulka
> On Aug 8, 10:45 pm, John Kalucki <> wrote:
> > In a simplified sense, the redirect nullifies a pernicious class of
> > attack where the source IP address is forged. A redirect cannot be
> > followed with a false source address. The attacks that remain are
> > those where the source IP address is valid. You can then imagine other
> > techniques that than can be applied against valid IP addresses. And so
> > the problem is divided and ameliorated, but never fully solved.
> >
> > I'm going to push back for a second with some food for thought for
> > developers: The API is via HTTP. HTTP is a well defined protocol. 302
> > redirects are a valid and well worn part of the HTTP protocol.
> > Consider why applications are not built using fully HTTP compliant
> > libraries. This doesn't address all the problems that we're all
> > having, but it does address some.
> >
> > -John Kalucki
> > Services, Twitter Inc.
> >
> > On Aug 8, 8:53 am, Kyle Mulka <> wrote:
> >
> > > An attacker can just as easily follow a 302 as can a legitimate API
> > > developer or user of Twitter. I don't understand why Twitter thinks
> > > this is a solution to the problem. Please stop 302ing.
> >
> > > Thanks,
> >
> > > --
> > > Kyle Mulka

Reply via email to