My argument was that yes, don’t be surprised that people open your lock if you openly show the combination to dodgy characters like Talk Talk. The net is a hostile environment (more so with certain ISPs and/or countries you are dealing with).

When I make a phone call, the number I have called is known only to me and the phone company. My expectation is that they will record the number I called, perhaps for legal purposes, perhaps for billing, etc. Even though anyone in the world *could* immediately call the number I just called (it’s “fair game” in a sense), no one else knows I called it. If the phone company were not only keeping track of all the numbers I called, but also calling them 30 seconds after I called them (and asking whoever answers for the exact same thing I asked for when I placed my call) that would be a pretty big violation of our (current, default) expectations re privacy.

TalkTalk is both my internet provider and my phone provider – maybe soon they’ll start recording what I say on the phone, auto-dialing all my numbers, and playing my voice down the connection too!!??

Yes, I guess you could argue that. But to me the following analogies are pretty close to what TalkTalk are doing:

1. I leave the backdoor to my house open, and let my friends wander in whenever they please. Should I think it’s fine for strangers to follow them down the street and also wander into my house?

2. I put a combination lock on my back door, and tell the combination to a friend. The friend comes to visit and lets him/herself in, but is tailed by a stranger who looks over their shoulder as they enter the combination. The stranger then comes into my house sometime later using the combination. Is that OK? The combination lock that is opened with the expectation of privacy is like an obscure URL with an MD5 sum in it – in theory no one should be able to re-use it. But an eavesdropper can.

TalkTalk will probably argue that they have to protect the children, protect us all against phishing, etc. Who knows?

I agree with the HTTPS comment, of course. And re protocol, there is a pending patch on the socket.io repo to 404 subsequent connections that don’t come from the same IP address (or maybe just ones that don’t upgrade the connection protocol, I’m not sure exactly).

Terry

Either use HTTPS or add something to the protocol that avoids these replay attacks?