W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

#100: DNS Spoofing / Rebinding

From: Mark Nottingham <mnot@mnot.net>
Date: Sun, 17 Jul 2011 11:33:52 +1000
Message-Id: <2CE9C4DC-7B6E-4770-A5CE-95BA58DD27CD@mnot.net>
Cc: Henrik Nordström <henrik@henriknordstrom.net>, Lisa Dusseault <lisa.dusseault@gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>

We've had this ticket open for a while now.

Relevant text in our current draft:

AIUI DNS pinning is no longer considered an adequate defence against rebinding, and the current advice is for servers to verify the Host header.

If that's correct, I think we can close this issue with no change.

Thoughts? We should also probably circulate with some security folk.

Mark Nottingham   http://www.mnot.net/
Received on Sunday, 17 July 2011 01:34:29 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:58 UTC