Re: Fodder for security issues document (was: dns binding) from Henrik Nordstrom on 2007-08-06 (ietf-http-wg@w3.org from July to September 2007)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Mon, 06 Aug 2007 17:35:34 +0200
To: Lisa Dusseault <ldusseault@commerce.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1186414534.4273.71.camel@henriknordstrom.net>

On tor, 2007-08-02 at 12:39 -0700, Lisa Dusseault wrote:
> This issue is part HTML, part URL construction rules, part DNS and of  
> course a little bit of HTTP

Fortunately quite easy to protect from within the current HTTP/1.1
specs. Only requirement is that one can assume clients supports HTTP/1.1
or at least HTTP/1.0 + Host header, which is all known browsers and
nearly all other known user-agents.

HTTP solution: Make the web server only respond on known site names, not
a catch-all "defaultsite".

Regards
Henrik

Received on Monday, 6 August 2007 15:35:44 UTC