On Thursday, November 21, 2013, David Precious wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Wed, 2 Oct 2013 14:13:11 -0400<br>
Richard Barnes <rlb@ipv.sx> wrote:<br>
<br>
> (3) is a huge security risk, because of the wide variety of things<br>
> that are done with HTTP requests. For simplicity, let's assume the<br>
> probe would send a GET request, and not anything more sophisticated<br>
> (POST, PUT, DELETE, etc.). You could use a GET request to download a<br>
> file, but you can also a GET request to do things to supply responses<br>
> to HTTP forms. Want to make sure your favorite band wins the<br>
> EuroVision Song Contest? Just task the Atlas network have 1000<br>
> probes vote for them every 5 minutes.<br>
<br>
GET requests should not alter state; if they do, arguably the problem<br>
there lies with the design of the faulty website.<br>
<br></blockquote><div><br></div><div>Indeed, that is what the HTTP spec says. But there are a good number of fault websites out there, and it seems bad to have Atlas be a tool to exploit them. </div><div><br></div><div>
In theory, there's no difference between theory and practice, but in practice there is :)</div><div> </div>