- From: Amit Klein <aksecurity@gmail.com>
- Date: Sun, 17 Jul 2011 08:48:55 +0300
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, Henrik Nordström <henrik@henriknordstrom.net>, Lisa Dusseault <lisa.dusseault@gmail.com>
In the past (and this may re-incarnate) it was possible for clients to provide arbitrary Host headers with HTTP requests, thus rendering the Host header verification defense somewhat useless. See e.g.: http://archive.cert.uni-stuttgart.de/bugtraq/2006/09/msg00090.html 2011/7/17 Mark Nottingham <mnot@mnot.net>: > <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/100> > > We've had this ticket open for a while now. > > Relevant text in our current draft: > <http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-15#section-11.4> > > AIUI DNS pinning is no longer considered an adequate defence against rebinding, and the current advice is for servers to verify the Host header. > > If that's correct, I think we can close this issue with no change. > > Thoughts? We should also probably circulate with some security folk. > > > -- > Mark Nottingham http://www.mnot.net/ > > > > >
Received on Sunday, 17 July 2011 05:49:24 UTC