W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #100: DNS Spoofing / Rebinding

From: Amit Klein <aksecurity@gmail.com>
Date: Sun, 17 Jul 2011 08:48:55 +0300
Message-ID: <CANEQ_+J3Nq-BO5XE8u+8jWr3E5_Md0mDLbkoxHgHwnygK3jDTg@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Henrik Nordström <henrik@henriknordstrom.net>, Lisa Dusseault <lisa.dusseault@gmail.com>
In the past (and this may re-incarnate) it was possible for clients to
provide arbitrary Host headers with HTTP requests, thus rendering the
Host header verification defense somewhat useless. See e.g.:
http://archive.cert.uni-stuttgart.de/bugtraq/2006/09/msg00090.html


2011/7/17 Mark Nottingham <mnot@mnot.net>:
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/100>
>
> We've had this ticket open for a while now.
>
> Relevant text in our current draft:
>  <http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-15#section-11.4>
>
> AIUI DNS pinning is no longer considered an adequate defence against rebinding, and the current advice is for servers to verify the Host header.
>
> If that's correct, I think we can close this issue with no change.
>
> Thoughts? We should also probably circulate with some security folk.
>
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>
>
Received on Sunday, 17 July 2011 05:49:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:45 GMT