Hi Boris, On Aug 22, 2012, at 5:14 PM, Boris Zbarsky wrote:
> On 8/22/12 4:53 PM, Mark Watson wrote: >> Also, we've considered "heartbeat" type solutions, which whilst better than >> nothing are vulnerable to an attack in which the heartbeat messages are >> blocked. > > I'd like to understand this better. Would such an attack not also work on > XHR? It would, but the effect would be different. Blocked heartbeats would cause the server to think that streaming had stopped, when in fact it was continuing. The service underestimates how much streaming there is. Blocked 'stop' messages would cause the server to think that streaming was continuing, when in fact it had stopped. The service overestimates how much streaming there is. It so happens that for our business model, underestimating is much worse than overestimating. For a different business model, it might be the opposite. …Mark > > (I realize there are other issues with a heartbeat ping; just wanted to make > sure I understand this particular issue properly.) > > -Boris >
