W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #100: DNS Spoofing / Rebinding

From: Mark Nottingham <mnot@mnot.net>
Date: Sun, 17 Jul 2011 16:03:18 +1000
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Henrik Nordström <henrik@henriknordstrom.net>, Lisa Dusseault <lisa.dusseault@gmail.com>
Message-Id: <7E86BDD3-DD87-4C36-84B2-CA8C577523CA@mnot.net>
To: Amit Klein <aksecurity@gmail.com>
My understanding was that these holes had been closed, and that while there are undoubtedly still some clients out there that allow Host headers to be set, it's not an attractive attack to make now. What's the current state of things?


On 17/07/2011, at 3:48 PM, Amit Klein wrote:

> In the past (and this may re-incarnate) it was possible for clients to
> provide arbitrary Host headers with HTTP requests, thus rendering the
> Host header verification defense somewhat useless. See e.g.:
> http://archive.cert.uni-stuttgart.de/bugtraq/2006/09/msg00090.html
> 
> 
> 2011/7/17 Mark Nottingham <mnot@mnot.net>:
>> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/100>
>> 
>> We've had this ticket open for a while now.
>> 
>> Relevant text in our current draft:
>>  <http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-15#section-11.4>
>> 
>> AIUI DNS pinning is no longer considered an adequate defence against rebinding, and the current advice is for servers to verify the Host header.
>> 
>> If that's correct, I think we can close this issue with no change.
>> 
>> Thoughts? We should also probably circulate with some security folk.
>> 
>> 
>> --
>> Mark Nottingham   http://www.mnot.net/
>> 
>> 
>> 
>> 
>> 

--
Mark Nottingham   http://www.mnot.net/
Received on Sunday, 17 July 2011 06:03:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:45 GMT