- From: Lisa Dusseault <ldusseault@commerce.net>
- Date: Thu, 2 Aug 2007 12:39:22 -0700
- To: HTTP Working Group <ietf-http-wg@w3.org>
This issue is part HTML, part URL construction rules, part DNS and of course a little bit of HTTP lisa Begin forwarded message: > > http://crypto.stanford.edu/dns/ > > DNS rebinding attacks subvert the same-origin policy of browsers and > convert them into open network proxies. These attacks can be used to > circumvent firewalls and are highly cost-effective for sending spam > e-mail and defrauding pay-per-click advertisers, requiring less than > $100 to temporarily hijack 100,000 IP addresses. We show that a > well-known, existing defense against these attacks, called "DNS > pinning", is ineffective in modern browsers. The primary focus of this > work, however, is the design of strong defenses against DNS rebinding > attacks that protect modern browsers. For the near-term, we suggest > easy-to-deploy defenses that prevent large-scale exploitation by > patching individual plug-ins and improving the robustness of browser > DNS pinning strategies. For the long-term, we propose two solutions, > circumvention-resistant firewalls and host name authorization, that > fix the root cause of DNS rebinding vulnerabilities by preventing the > attacker from naming a target server. >
Received on Thursday, 2 August 2007 19:39:40 UTC