W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

RE: LYNX-DEV two curiosities from IETF HTTP session.

From: Jim Gettys <jg@pa.dec.com>
Date: Thu, 18 Dec 1997 10:50:57 -0800
Message-Id: <9712181850.AA06471@pachyderm.pa.dec.com>
To: Paul Leach <paulle@microsoft.com>
Cc: Yaron Goland <yarong@microsoft.com>, jg@pa.dec.com, Josh Cohen <joshco@microsoft.com>, Foteos Macrides <MACRIDES@sci.wfbr.edu>, lynx-dev@sig.net, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

> 
>  <snip>
>  
>  > I think you are confused....  In Rev-01, only an origin server is allowed
>  > to generate a 305 response.  It is authoritative for that resource, so
>  > the spoofing problems don't come up (and is the reason for that text being
>  > in the document...)
>  > 
>  And exactly how can the browser tell that it was the origin server that sent
>  the 305? And not the untrustworthy proxy in between the client and the
>  server?

You can't tell.

>  
>  I know that normally one trusts one's proxy, but since security issues are
>  being raised here, the question needs to be asked.
>  
>  Paul

You've delegated trust to the proxy.  If the trust was misplaced, you have
any/all sort of attacks possible, of which this is far from the most
serious.  The best we can do is mitigate the damage, for correct,
and trustworthy implementations.  The problem with 306 was that it was
a way to insert a man in the middle, relatively easily, which was
not trustworthy.
					- Jim
Received on Saturday, 3 January 1998 07:59:27 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT