W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Security considerations for DNS rebinding

From: Justin Erenkrantz <justin@erenkrantz.com>
Date: Tue, 9 Feb 2010 10:21:17 -0800
Message-ID: <5c902b9e1002091021j721c1319s9eb04a0b5645616e@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Feb 9, 2010 at 5:48 AM, Maciej Stachowiak <mjs@apple.com> wrote:
> If HTTP had a requirement to check the Host header and all servers followed it, then the risk of DNS rebinding attacks would be eliminated for conforming servers. Meanwhile clients can only implement mitigation strategies that are only partially effective or inordinately complex or both. And client-side protections can risk breaking completely valid DNS round-robin load balancing setups.

I can see this as a SHOULD, but not as a MUST as I'm not a fan of
httpbis making such fundamental changes.  Enforcing this as a MUST
would certainly break most httpd configs that rely upon virtual
hosting in odd ways - so I'm not even sure httpd would make this the
default, but rather opt-in at best.  -- justin
Received on Tuesday, 9 February 2010 18:29:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:16 GMT