W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #100: DNS Spoofing / Rebinding

From: Chris Weber <chris@lookout.net>
Date: Sun, 17 Jul 2011 00:23:38 -0700
Message-ID: <4E228DFA.7000106@lookout.net>
To: Mark Nottingham <mnot@mnot.net>
CC: Amit Klein <aksecurity@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Henrik Nordström <henrik@henriknordstrom.net>, Lisa Dusseault <lisa.dusseault@gmail.com>
On 7/16/2011 11:03 PM, Mark Nottingham wrote:
> My understanding was that these holes had been closed, and that while there are undoubtedly still some clients out there that allow Host headers to be set, it's not an attractive attack to make now. What's the current state of things?
>
>
> On 17/07/2011, at 3:48 PM, Amit Klein wrote:
>
>> In the past (and this may re-incarnate) it was possible for clients to
>> provide arbitrary Host headers with HTTP requests, thus rendering the
>> Host header verification defense somewhat useless. See e.g.:
>> http://archive.cert.uni-stuttgart.de/bugtraq/2006/09/msg00090.html
>>
>>

Most of these holes have been closed.  Save for the exceptions where 
similar bugs will probably continue to surface, which is sounds like 
Amit was alluding to, as something recently did 
<http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails>.

Having servers verify the Host header still seems valuable as defense in 
depth but not as the panacea of course.

-Chris
Received on Sunday, 17 July 2011 07:24:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:45 GMT