W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: DNS rebinding not mentioned in "HTTP/1.1, part 1"

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 2 Dec 2009 11:37:51 +1100
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <B1DECC8A-D591-4319-A164-578F9A973F3F@mnot.net>
To: Tyler Close <tyler.close@gmail.com>
See:
  http://trac.tools.ietf.org/wg/httpbis/trac/ticket/100


On 26/11/2009, at 2:18 AM, Tyler Close wrote:

> The "Security Considerations" section of "HTTP/1.1, part 1" does not
> mention DNS rebinding attacks. The normative language in the section
> on "DNS spoofing" seems to require vulnerability to DNS rebinding
> attacks:
> 
> """
> If HTTP clients cache the results of host name lookups in order to
> achieve a performance improvement, they MUST observe the TTL
> information reported by DNS
> """
> 
> --Tyler
> 
> -- 
> "Waterken News: Capability security on the Web"
> http://waterken.sourceforge.net/recent.html
> 


--
Mark Nottingham     http://www.mnot.net/
Received on Wednesday, 2 December 2009 00:38:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT