W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

CERT VU#435052 - intercepting proxy vulnerability

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Tue, 24 Feb 2009 10:42:51 +1100
Message-Id: <AB66D0BA-BBDB-437D-82E2-B262C74916EA@yahoo-inc.com>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
See:
   http://www.kb.cert.org/vuls/id/435052

 From an HTTP perspective, there are a number of potential reactions;

1) intercepting proxies are bad; we told you so!

2) we should accommodate intercepting proxies in HTTPbis, because  
they're a reality.

2a) we should note this type of attack in Security Considerations, and  
more strongly recommend that clients send an absolute URI on the  
request-line, even when not using a configured proxy.

Just food for thought...

Cheers,

--
Mark Nottingham
Received on Monday, 23 February 2009 23:43:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:01 GMT