On 5/23/17 05:09, Alexey Melnikov wrote:
On Tue, May 23, 2017, at 10:24 AM, Alexey Melnikov wrote:
Hi William,
On 22 May 2017, at 23:14, William Denniss <wdenn...@google.com
<mailto:wdenn...@google.com>> wrote:
Section 8.1 makes the statement that "Loopback IP based redirect
URIs may
be susceptible to interception by other apps listening on the same
loopback interface." That's not how TCP listener sockets work:
for any
given IP address, they guarantee single-process access to a port
at any
one time. (Exceptions would include processes with root access,
but an
attacking process with that level of access is going to be
impossible to
defend against). While mostly harmless, the statement appears to
be false
on its face, and should be removed or clarified.
Will be removed in the next update. Thank you.
Actually, I disagree with Adam on this, because what he says is OS
specific. So I think the text is valuable and should stay.
In particular, I think SO_REUSEADDR socket option is widely
implemented, both on Windows and Linux.
Okay, after doing a lot of digging, this appears to be much more
complicated than it should be [1]. Linux (as of 3.9) does allow multiple
_listeners_ on a single IP/Address pair (and does load balancing among
them o_O), but only if they're both using SO_REUSEADDR ("don't do that
then" would be good advice). Windows allows the kind of hijacking
described in the document unless SO_EXCLUSIVEADDRUSE is set (and it
might be good advice in this document to suggest setting it).
So I'm okay with the paragraph staying in, although I would like to see
it qualified with "on some operating systems", and would like to see a
note (probably in section B.3) recommending the use of
SO_EXCLUSIVEADDRUSE on listening sockets.
/a
____
[1] The most comprehensive explanation of facts on the ground that I
could find is
https://stackoverflow.com/questions/14388706/socket-options-so-reuseaddr-and-so-reuseport-how-do-they-differ-do-they-mean-t
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
