CERT VU#435052 - intercepting proxy vulnerability


 From an HTTP perspective, there are a number of potential reactions;

1) intercepting proxies are bad; we told you so!

2) we should accommodate intercepting proxies in HTTPbis, because  
they're a reality.

2a) we should note this type of attack in Security Considerations, and  
more strongly recommend that clients send an absolute URI on the  
request-line, even when not using a configured proxy.

Just food for thought...


Mark Nottingham

Received on Monday, 23 February 2009 23:43:47 UTC