New issue: 15.3 misguided?

Been reading and thinking a bit more on the DNS binding problem after
the reminder by Lisa, and came to the conclusion that RFC2616
recommendations and actual implementation and security concerns is quite
far apart on this.

RCF2616 15.3 "DNS Spoofing" recommends the exact opposite of DNS
binding. Any client implementing those recommendations is quite
vulnerable to the discussed issues. This makes me wonder if 15.3 perhaps
should be dropped from the specifications. Not many user-agents is
following the recommendation found there (certainly none of the main
browser vendors), and it's recommendations also is not very effective
against what 15.3 tries to protect from (DNS poisoning). The protection
from DNS poisoning 15.3 tries to achieve is best addressed at the DNS
resolver layer, not HTTP application implementation.

The recommendations in 15.3 is sane from a technical perspective, and
also close to obviously "correct" from a technical perspective, but
unfortunately opens a information theft security issue by using
scripting capable user agents using hostname based access checks to jail
the executed scripts. So having this in the specs is counter to actual
implementation experience.

Additionally viewing 15.3 as a security measure is imho not very useful
as it doesn't really improve the security aspects by any noticeable
amount at any level.

So in the end it's better to leave this to implementation detail I
think, leaving it out of the protocol specifications I think.

But this said, the HTTP solution of not allowing servers to answer
requests for "other" sites do solves quite a lot of the security
concerns regarding information theft using HTTP. The rest is client
implementation details to ensure active content is properly jailed.

Regards
Henrik

Received on Thursday, 9 August 2007 12:43:55 UTC