W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: [AC] Hardening against DNS rebinding attacks - proposal

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 2 Jul 2008 11:36:14 +0200
To: Jonas Sicking <jonas@sicking.cc>
Cc: Webapps WG <public-webapps@w3.org>, Maciej Stachowiak <mjs@apple.com>
Message-ID: <20080702093614.GT288@iCoaster.does-not-exist.org>

On 2008-06-27 14:18:12 -0700, Jonas Sicking wrote:

> When a preflight OPTIONS request is made, store in the cache what
> IP address was used to make the request. When a subsequent
> non-GET is made, check what IP address the DNS name resolves to,
> and if the IP address is not the same as the one used for the
> OPTIONS request, re-do the preflight OPTIONS check.

This sounds like it will lead into an endless loop of OPTIONS
requests for sites that deploy round-robin DNS.

On 2008-06-28 14:33:33 -0700, Jonas Sicking wrote:

> This is technically not DNS pinning. 

I'd guess that DNS pinning will work significantly better than
what's proposed above.

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 2 July 2008 09:36:50 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT