W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Re: Fodder for security issues document (was: dns binding)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Mon, 06 Aug 2007 22:30:05 +0200
To: David Morris <dwm@xpasc.com>
Cc: ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
Message-Id: <1186432205.13317.10.camel@henriknordstrom.net>
On mån, 2007-08-06 at 12:51 -0700, David Morris wrote:

> > HTTP solution: Make the web server only respond on known site names, not
> > a catch-all "defaultsite".
> 
> I must be dense ... I don't understand how an attack which returns invalid
> IPs for a host is mitigated by proper honoring of host header info.

It blocks information theft in the attack vectors where the attacker's
software/scripts can not gain direct network access and only have
validated HTTP clients with working host/domain based restrictions to
work with.

Ofcourse it does not protect against DoS botnets, or the other
information theft attack vectors where the attacker gains direct network
access and can construct the HTTP request freely, or where
implementation bugs allows the attacker to bypass host/domain based
restrictions. There is very little which can be done at the HTTP level
in these cases as the requests looks perfectly valid on the server side.

Regards
Henrik

Received on Monday, 6 August 2007 20:30:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT