W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

CERT VU#435052 - intercepting proxy vulnerability

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Tue, 24 Feb 2009 10:42:51 +1100
Message-Id: <AB66D0BA-BBDB-437D-82E2-B262C74916EA@yahoo-inc.com>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>

 From an HTTP perspective, there are a number of potential reactions;

1) intercepting proxies are bad; we told you so!

2) we should accommodate intercepting proxies in HTTPbis, because  
they're a reality.

2a) we should note this type of attack in Security Considerations, and  
more strongly recommend that clients send an absolute URI on the  
request-line, even when not using a configured proxy.

Just food for thought...


Mark Nottingham
Received on Monday, 23 February 2009 23:43:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:48 UTC