- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 2 Dec 2009 11:37:51 +1100
- To: Tyler Close <tyler.close@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
See: http://trac.tools.ietf.org/wg/httpbis/trac/ticket/100 On 26/11/2009, at 2:18 AM, Tyler Close wrote: > The "Security Considerations" section of "HTTP/1.1, part 1" does not > mention DNS rebinding attacks. The normative language in the section > on "DNS spoofing" seems to require vulnerability to DNS rebinding > attacks: > > """ > If HTTP clients cache the results of host name lookups in order to > achieve a performance improvement, they MUST observe the TTL > information reported by DNS > """ > > --Tyler > > -- > "Waterken News: Capability security on the Web" > http://waterken.sourceforge.net/recent.html > -- Mark Nottingham http://www.mnot.net/
Received on Wednesday, 2 December 2009 00:38:23 UTC