On Thursday, November 21, 2013, David Precious  wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Wed, 2 Oct 2013 14:13:11 -0400<br>
Richard Barnes &lt;rlb@ipv.sx&gt; wrote:<br>
<br>
&gt; (3) is a huge security risk, because of the wide variety of things<br>
&gt; that are done with HTTP requests.  For simplicity, let&#39;s assume the<br>
&gt; probe would send a GET request, and not anything more sophisticated<br>
&gt; (POST, PUT, DELETE, etc.).  You could use a GET request to download a<br>
&gt; file, but you can also a GET request to do things to supply responses<br>
&gt; to HTTP forms.  Want to make sure your favorite band wins the<br>
&gt; EuroVision Song Contest?  Just task the Atlas network have 1000<br>
&gt; probes vote for them every 5 minutes.<br>
<br>
GET requests should not alter state; if they do, arguably the problem<br>
there lies with the design of the faulty website.<br>
<br></blockquote><div><br></div><div>Indeed, that is what the HTTP spec says. But there are a good number of fault websites out there, and it seems bad to have Atlas be a tool to exploit them.  </div><div><br></div><div>
In theory, there&#39;s no difference between theory and practice, but in practice there is :)</div><div> </div>