Re: service.notify?

[petite_abeille <petite_abeille@xxxxxxx>]

Hi Gary,

On Jan 11, 2004, at 20:48, Gary Burd wrote:
> On Jan 11, 2004, at 11:14 AM, petite_abeille wrote:
>
> > > One denial of service attack is to register hundreds of URLs at a 
> > > victim's site with hundreds of notification centers.
> >
> > At worst, your site goes under. No big loss there. A blog is not a 
> > critical piece of infrastructure last time I checked.
>
> Notification centers can be directed to hit any host on the internet.

Hmmm... not sure if I follow you here...

>  The host need not be hosting a blog or even be running a web server.  
> Because the notifications do not include any information about the 
> notification center,

It does. This is what the Referer is about. If you don't trust the 
Referer, you could double check the IP address and host name. If you 
don't like it, run it over SSL and require some client side 
certificates. Whatever.

>  there does not appear to be an easy way for a victim to discover the 
> notification centers hitting his host so that he can put a stop to an 
> attack

It's not very practical to fake an IP address. But yes, anything goes 
if you really want to.

> On Jan 11, 2004, at 10:43 AM, petite_abeille wrote:
>
> > > 4) How does one unsubscribe?
> >
> > There should be a corresponding DELETE method.
>
> What stops an attacker from unregistering other users?  This attack 
> can be automated using blogroll formats discussed elsewhere on this 
> list.

Oh, my... please do :) And what? Somebody, somewhere, is potentially 
not going to get a timely update about someone else ramblings. Dramatic 
indeed.

That said, none of those requests are anonymous.

In any case, thanks for the feedbacks :) Any concrete proposal much 
appreciated also.

Cheers,

PA.