The TCP "challenge ACK" side channel

Posted Aug 11, 2016 14:57 UTC (Thu) by ssmith32 (subscriber, #72404)
In reply to: The TCP "challenge ACK" side channel by smoogen
Parent article: The TCP "challenge ACK" side channel

Noooo... note that they fixed this without violating the RFC. "Why aren't you RFC compliant?" doesn't mean it's a holy grail. RFC's are generally very boring, detailed and clear. In other words, "You had ONE job, it was simple, straightforward and clear - what went wrong?". Following it doesn't mean it is secure or awesome. You still need to look for bugs, and be diligent. Otherwise we would just have RFC compilers, and no need for skilled engineers to implement them *well*.

Please don't pretend this is an excuse to violate RFC's... we'll end up with IE and all other kinds of 1990s Microsoft wonderfulness.

The TCP "challenge ACK" side channel

Posted Aug 11, 2016 16:08 UTC (Thu) by smoogen (subscriber, #97) [Link] (1 responses)

I was talking about people who think that RFC's are holy grails and that you can implement them purely like they were compilers. I have dealt with way too many engineers who have dealt with some aspect of one RFC which is written in such a way and thus think that all of them are or should be.

As a side comment, while IE did vary off from various standards some of the WORST things people complained about in the IE1->4 days was where it was actually following the standard to the letter but Netscape didn't because to follow the standard to the letter gave crappy viewing (or subpar performance or a thousand other things.) I know this because I worked on the upstream browser and we spend most of our time having to implement 'this does not follow the HTML standard but it makes it work with Netscape' quite often. [Do not take this as Microsoft or Spyglass was right in putting in the various RFC breaks.. just that sometimes compliant and complaint are only 2 letters different]

The TCP "challenge ACK" side channel

Posted Aug 11, 2016 17:22 UTC (Thu) by flussence (guest, #85566) [Link]

The HTML standard agrees with you these days — in the same spec with a volume dedicated to a “how to parse 10 billion pages of broken crap consistently” algorithm, there used to be gems like “comments must be valid SGML with balanced -- delimiters”. Thankfully the WHATWG saw some common sense and changed it (the W3C has yet to...)