W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

DNS rebinding not mentioned in "HTTP/1.1, part 1"

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 25 Nov 2009 07:18:58 -0800
Message-ID: <5691356f0911250718o33957da9v5027092322af83e2@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
The "Security Considerations" section of "HTTP/1.1, part 1" does not
mention DNS rebinding attacks. The normative language in the section
on "DNS spoofing" seems to require vulnerability to DNS rebinding
attacks:

"""
If HTTP clients cache the results of host name lookups in order to
achieve a performance improvement, they MUST observe the TTL
information reported by DNS
"""

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Wednesday, 25 November 2009 15:19:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT