W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

DNS rebinding not mentioned in "HTTP/1.1, part 1"

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 25 Nov 2009 07:18:56 -0800
Message-ID: <5691356f0911250718p19709b9er1561cb9d46eb33a3@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
The "Security Considerations" section of "HTTP/1.1, part 1" does not
mention DNS rebinding attacks. The normative language in the section
on "DNS spoofing" seems to require vulnerability to DNS rebinding

If HTTP clients cache the results of host name lookups in order to
achieve a performance improvement, they MUST observe the TTL
information reported by DNS


"Waterken News: Capability security on the Web"
Received on Wednesday, 25 November 2009 15:19:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 9 September 2019 17:47:22 UTC