- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 25 Nov 2009 07:18:56 -0800
- To: HTTP Working Group <ietf-http-wg@w3.org>
The "Security Considerations" section of "HTTP/1.1, part 1" does not mention DNS rebinding attacks. The normative language in the section on "DNS spoofing" seems to require vulnerability to DNS rebinding attacks: """ If HTTP clients cache the results of host name lookups in order to achieve a performance improvement, they MUST observe the TTL information reported by DNS """ --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 25 November 2009 15:19:29 UTC