- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Thu, 09 Aug 2007 14:42:16 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Cc: Lisa Dusseault <ldusseault@commerce.net>
- Message-Id: <1186663336.16745.63.camel@henriknordstrom.net>
Been reading and thinking a bit more on the DNS binding problem after the reminder by Lisa, and came to the conclusion that RFC2616 recommendations and actual implementation and security concerns is quite far apart on this. RCF2616 15.3 "DNS Spoofing" recommends the exact opposite of DNS binding. Any client implementing those recommendations is quite vulnerable to the discussed issues. This makes me wonder if 15.3 perhaps should be dropped from the specifications. Not many user-agents is following the recommendation found there (certainly none of the main browser vendors), and it's recommendations also is not very effective against what 15.3 tries to protect from (DNS poisoning). The protection from DNS poisoning 15.3 tries to achieve is best addressed at the DNS resolver layer, not HTTP application implementation. The recommendations in 15.3 is sane from a technical perspective, and also close to obviously "correct" from a technical perspective, but unfortunately opens a information theft security issue by using scripting capable user agents using hostname based access checks to jail the executed scripts. So having this in the specs is counter to actual implementation experience. Additionally viewing 15.3 as a security measure is imho not very useful as it doesn't really improve the security aspects by any noticeable amount at any level. So in the end it's better to leave this to implementation detail I think, leaving it out of the protocol specifications I think. But this said, the HTTP solution of not allowing servers to answer requests for "other" sites do solves quite a lot of the security concerns regarding information theft using HTTP. The rest is client implementation details to ensure active content is properly jailed. Regards Henrik
Received on Thursday, 9 August 2007 12:43:55 UTC