craving cryptography commentary
Chris Muller
chris at funkyobjects.org
Sat Aug 20 20:37:30 UTC 2005
Thanks for helping Andrew.
> I also would want a better explanation of what the "(blockage for a
> period of time)" is going to solve. As the other Andrew rightly
> pointed out, the IP address is likely spoofable, allowing for DoS type
> attacks.
I'm no longer intending to do this. The other Andrew enlightened me how a
spoofed IP could be used to block the original user.
> Do requests happen on separate socket connections?
Yes. Is this bad?
> Is that why you are
> interested in doing authentication on each request? If not, would it
> not be easier to just authenticate the connection and then allow any
> requests from that client?
My understanding is that, although difficult, TCP connections can be hijacked.
Man-in-the-middle would not be able to attack if "authenticating" each
transmission was required.
> In any case, it seems to me that the very next kind of security that
> you might want to implement would be to add some privacy to the request
> and the result, which would probably best be implemented with something
> very SSL/TLS like. Might it not be better to just implement SSL/TLS
> first and be done with it?
Yes, I am not intending to reinvent this. The users will have to secure this
themselves with an outboard SSL/TLS as you mention.
> This would also have the advantage of being an extensively
> peer-reviewed protocol, so there'd be far less chance of some
> "obvious-to-someone-who-hasn't-looked-at-it-yet" kind of mistake.
Agreed.
- Chris
More information about the Squeak-dev
mailing list
|