Dumb mode question
meepbear at hotmail.com
Wed Jul 6 12:48:55 PDT 2005
> > If a server receives an invalidate_handle it does know about then it
> > should be not answer the check_authentication but simply return an error
> > as well.
>No! The whole point of invalidate_handle was for when servers forgot
>their secrets. If you send a server a gibberish invalidate_handle, it has
>to confirm that it knows nothing about it.
I suggested the opposite though.
An "attacker" has three (easy) choices to tamper with an invalidate_handle:
1) make one up and neither will know about it, 2) use one the server knows
about but the consumer doesn't, 3) use one that both the consumer and server
With the normal flow of the protocol, none of the above should ever occur
"naturally". The only way a "regular mode" consumer could fallback to "dumb
mode" is when the server forgets about the handle and then the consumer is
the only one that knows about it.
On the consumer side: it sees an invalidate_handle it doesn't know about so
it returns an error (elminates 1 and 2).
On the server side: it knows it would never return an invalidate_handle on
an handle it knows about (and hasn't expired yet) so it can safely return an
error without breaking anything when it sees one, eliminating 3.
The legitimate case is when the server forgets about an handle in which case
the consumer won't complain since it knows about the handle. The server
won't complain either since it doesn't know the handle and will acknowledge
that it doesn't and validate the "check_authentication" as it's supposed to.
More information about the yadis