[NNTP] STREAMING diffs (take 2)
Ken Murchison
ken at oceana.com
Mon Jun 13 11:27:42 PDT 2005
Russ Allbery wrote:
> Same here. I don't understand. Surely the use of deferrals and the
> interaction between CHECK and TAKETHIS are protocol issues?
The vulnerability that we're discussing isn't inherent in the design of
the CHECK command. Its only present in server implementations which
choose to "lock" a particular message-id that it receives from a CHECK
command. You can certainly write a server which isn't subject to this
attack.
As I said, I'm not going to argue strongly against adding your suggested
text, but it seems like BCP stuff to me. Then again, I might be full of
shit.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list