Re: Fodder for security issues document (was: dns binding) from David Morris on 2007-08-06 (ietf-http-wg@w3.org from July to September 2007)

From: David Morris <dwm@xpasc.com>
Date: Mon, 6 Aug 2007 12:51:36 -0700 (PDT)
cc: Lisa Dusseault <ldusseault@commerce.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Pine.LNX.4.33.0708061249240.23897-100000@egate.xpasc.com>

On Mon, 6 Aug 2007, Henrik Nordstrom wrote:

> On tor, 2007-08-02 at 12:39 -0700, Lisa Dusseault wrote:
> > This issue is part HTML, part URL construction rules, part DNS and of
> > course a little bit of HTTP
>
> Fortunately quite easy to protect from within the current HTTP/1.1
> specs. Only requirement is that one can assume clients supports HTTP/1.1
> or at least HTTP/1.0 + Host header, which is all known browsers and
> nearly all other known user-agents.
>
> HTTP solution: Make the web server only respond on known site names, not
> a catch-all "defaultsite".

I must be dense ... I don't understand how an attack which returns invalid
IPs for a host is mitigated by proper honoring of host header info.

Received on Monday, 6 August 2007 19:51:53 UTC