- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Mon, 06 Aug 2007 22:30:05 +0200
- To: David Morris <dwm@xpasc.com>
- Cc: ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
Received on Monday, 6 August 2007 20:30:24 UTC
On mån, 2007-08-06 at 12:51 -0700, David Morris wrote: > > HTTP solution: Make the web server only respond on known site names, not > > a catch-all "defaultsite". > > I must be dense ... I don't understand how an attack which returns invalid > IPs for a host is mitigated by proper honoring of host header info. It blocks information theft in the attack vectors where the attacker's software/scripts can not gain direct network access and only have validated HTTP clients with working host/domain based restrictions to work with. Ofcourse it does not protect against DoS botnets, or the other information theft attack vectors where the attacker gains direct network access and can construct the HTTP request freely, or where implementation bugs allows the attacker to bypass host/domain based restrictions. There is very little which can be done at the HTTP level in these cases as the requests looks perfectly valid on the server side. Regards Henrik
Received on Monday, 6 August 2007 20:30:24 UTC