On Thursday, November 21, 2013, David Precious wrote:
On Wed, 2 Oct 2013 14:13:11 -0400 Richard Barnes <rlb@ipv.sx> wrote:
(3) is a huge security risk, because of the wide variety of things that are done with HTTP requests. For simplicity, let's assume the probe would send a GET request, and not anything more sophisticated (POST, PUT, DELETE, etc.). You could use a GET request to download a file, but you can also a GET request to do things to supply responses to HTTP forms. Want to make sure your favorite band wins the EuroVision Song Contest? Just task the Atlas network have 1000 probes vote for them every 5 minutes.
GET requests should not alter state; if they do, arguably the problem there lies with the design of the faulty website.
Indeed, that is what the HTTP spec says. But there are a good number of fault websites out there, and it seems bad to have Atlas be a tool to exploit them. In theory, there's no difference between theory and practice, but in practice there is :)