W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Security considerations for DNS rebinding

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 9 Feb 2010 10:08:38 -0800
Message-ID: <7789133a1002091008q77efdd78oea6547c1fc428405@mail.gmail.com>
To: Tim <tim-projects@sentinelchicken.org>
Cc: Maciej Stachowiak <mjs@apple.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Feb 9, 2010 at 6:23 AM, Tim <tim-projects@sentinelchicken.org> wrote:
>> The DNS Spoofing security considerations subsection has a
>> requirement that actually increases the risk of DNS rebinding attacks.
>> It says that "If HTTP clients cache the results of host name lookups
>> in order to achieve a performance improvement, they must observe the
>> TTL information reported by DNS". Clients that follow this advice will
>> be at greater risk than if they give cached DNS lookup results a floor
>> on time-to-live, or keep a DNS resolution result "pinned" so long as
>> any resource from that domain is active. Those are the simplest
>> client-side mitigation strategies for DNS rebinding attacks. If DNS
>> lookups are cached in the browser for a minimum of, say, an hour,
>> there is much less risk of a DNS rebinding attack, because the
>> attacker must get the user to keep a page open for at least an hour to
>> be able to perform the rebinding attack.
>
> While I'm not an expert on DNS rebinding, I'm afraid I don't agree
> that DNS pinning helps prevent rebinding attacks.

DNS pinning is not a great solution to DNS rebinding, and I would
hesitate to recommend it to user agent implementors.  For details,
please see:

http://www.adambarth.com/papers/2007/jackson-barth-bortz-shao-boneh.pdf

On the other hand, Host header checking is effective, and it seems
valuable for HTTPbis to recommend it to server implementors.

Adam
Received on Tuesday, 9 February 2010 18:10:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:16 GMT