"John T. Haggerty" <jpcoo...@gmail.com> writes: > On Fri, Aug 26, 2016 at 9:11 PM, Perry E. Metzger <pe...@piermont.com> > wrote: > > On Fri, 26 Aug 2016 21:06:15 +0200 Frederic Marchal > <frederic.marc...@wowtechnology.com> wrote: > > > The download must be long > > enough (more than one minute) for the attacker to discover the > set > > of parameters that will make the attack successful. > > You've forgotten how the modern web works. People have http: > connections live for very long periods of time, with dynamic > content > flittering back and forth over the channel. It isn't like 1996 any > more where someone downloaded some static HTML and closed the TCP > connection until the next page was downloaded when they clicked > again. It hasn't been like that in a very long time. > > So you are referring to the "netstat" output from the system itself? > So physically redraw the page they are on even if they haven't > refreshed the page?
I'm not sure how netstat is relevant here.... but think of protocols like AJAX where, indeed, content on a web page can be updated without any user activity. Do you have a facebook account? I frequently have a browser open to it for days at a time while it updates my feed (in fairness, that's https: not http:, but the point about long-lived connections remains valid).