On Mon, 6 Aug 2007, Henrik Nordstrom wrote: > On tor, 2007-08-02 at 12:39 -0700, Lisa Dusseault wrote: > > This issue is part HTML, part URL construction rules, part DNS and of > > course a little bit of HTTP > > Fortunately quite easy to protect from within the current HTTP/1.1 > specs. Only requirement is that one can assume clients supports HTTP/1.1 > or at least HTTP/1.0 + Host header, which is all known browsers and > nearly all other known user-agents. > > HTTP solution: Make the web server only respond on known site names, not > a catch-all "defaultsite". I must be dense ... I don't understand how an attack which returns invalid IPs for a host is mitigated by proper honoring of host header info.Received on Monday, 6 August 2007 19:51:53 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:38:28 GMT