W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #100: DNS Spoofing / Rebinding

From: Willy Tarreau <w@1wt.eu>
Date: Sun, 17 Jul 2011 08:14:39 +0200
To: Mark Nottingham <mnot@mnot.net>
Cc: Amit Klein <aksecurity@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Henrik Nordström <henrik@henriknordstrom.net>, Lisa Dusseault <lisa.dusseault@gmail.com>
Message-ID: <20110717061439.GC31226@1wt.eu>
On Sun, Jul 17, 2011 at 04:03:18PM +1000, Mark Nottingham wrote:
> My understanding was that these holes had been closed, and that while there are undoubtedly still some clients out there that allow Host headers to be set, it's not an attractive attack to make now. What's the current state of things?

I know a number of places who still use Apache 1.3 + mod_proxy as the front
layer for SSL+cache. This component did not have the ProxyPreserveHost
directive, and as such, the common deployment model consists in binding it
to one IP address and forwarding everything received on that IP to the next
hop with a rewritten Host header.

I'm realizing that the security there only relies on the host name in the
SSL certificate. Once that's said, I wonder if we need to care about the
risk of abusing a non-SSL site, which may be abused a number of different
ways too. The only difference can lie in mass-attacks, but it's not obvious
to me what kind of issues we might face with an uncontrolled server returning
contents for a different host.

Regards,
Willy
Received on Sunday, 17 July 2011 06:15:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:45 GMT