Re: Any idea when CVE-2016-5696 is going to get fixed?
"John T. Haggerty" <jpcookie@gmail.com> writes:
> On Fri, Aug 26, 2016 at 9:11 PM, Perry E. Metzger <perry@piermont.com>
> wrote:
>
> On Fri, 26 Aug 2016 21:06:15 +0200 Frederic Marchal
> <frederic.marchal@wowtechnology.com> wrote:
>
> > The download must be long
> > enough (more than one minute) for the attacker to discover the
> set
> > of parameters that will make the attack successful.
>
> You've forgotten how the modern web works. People have http:
> connections live for very long periods of time, with dynamic
> content
> flittering back and forth over the channel. It isn't like 1996 any
> more where someone downloaded some static HTML and closed the TCP
> connection until the next page was downloaded when they clicked
> again. It hasn't been like that in a very long time.
>
> So you are referring to the "netstat" output from the system itself?
> So physically redraw the page they are on even if they haven't
> refreshed the page?
I'm not sure how netstat is relevant here.... but think of protocols
like AJAX where, indeed, content on a web page can be updated without
any user activity. Do you have a facebook account? I frequently have a
browser open to it for days at a time while it updates my feed (in
fairness, that's https: not http:, but the point about long-lived
connections remains valid).
Reply to: