On Tue, May 23, 2017, at 10:24 AM, Alexey Melnikov wrote: > Hi William, > > On 22 May 2017, at 23:14, William Denniss <wdenn...@google.com> wrote:>>> > Section 8.1 makes the statement that "Loopback IP based redirect >>> URIs may>>> be susceptible to interception by other apps listening on the >>> same>>> loopback interface." That's not how TCP listener sockets work: >>> for any>>> given IP address, they guarantee single-process access to a >>> port >>> at any>>> one time. (Exceptions would include processes with root access, >>> but an>>> attacking process with that level of access is going to be >>> impossible to>>> defend against). While mostly harmless, the statement >>> appears to be >>> false>>> on its face, and should be removed or clarified. >>> >> >> Will be removed in the next update. Thank you. > > Actually, I disagree with Adam on this, because what he says is OS > specific. So I think the text is valuable and should stay.> In particular, I think SO_REUSEADDR socket option is widely implemented, both on Windows and Linux.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
