- From: Tyler Close <tyler.close@gmail.com>
- Date: Tue, 1 Dec 2009 17:04:10 -0800
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Ah, glad to see someone else had already spotted this. I suggest adding the keyword "rebinding" to the ticket, to help subsequent searchers find it. --Tyler On Tue, Dec 1, 2009 at 4:37 PM, Mark Nottingham <mnot@mnot.net> wrote: > See: > http://trac.tools.ietf.org/wg/httpbis/trac/ticket/100 > > > On 26/11/2009, at 2:18 AM, Tyler Close wrote: > >> The "Security Considerations" section of "HTTP/1.1, part 1" does not >> mention DNS rebinding attacks. The normative language in the section >> on "DNS spoofing" seems to require vulnerability to DNS rebinding >> attacks: >> >> """ >> If HTTP clients cache the results of host name lookups in order to >> achieve a performance improvement, they MUST observe the TTL >> information reported by DNS >> """ >> >> --Tyler >> >> -- >> "Waterken News: Capability security on the Web" >> http://waterken.sourceforge.net/recent.html >> > > > -- > Mark Nottingham http://www.mnot.net/ > > -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 2 December 2009 01:04:44 UTC