Re: Fodder for security issues document (was: dns binding)

On tor, 2007-08-02 at 12:39 -0700, Lisa Dusseault wrote:
> This issue is part HTML, part URL construction rules, part DNS and of  
> course a little bit of HTTP

Fortunately quite easy to protect from within the current HTTP/1.1
specs. Only requirement is that one can assume clients supports HTTP/1.1
or at least HTTP/1.0 + Host header, which is all known browsers and
nearly all other known user-agents.

HTTP solution: Make the web server only respond on known site names, not
a catch-all "defaultsite".


Received on Monday, 6 August 2007 15:35:44 UTC