- From: Willy Tarreau <w@1wt.eu>
- Date: Sun, 17 Jul 2011 08:14:39 +0200
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Amit Klein <aksecurity@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Henrik Nordström <henrik@henriknordstrom.net>, Lisa Dusseault <lisa.dusseault@gmail.com>
On Sun, Jul 17, 2011 at 04:03:18PM +1000, Mark Nottingham wrote: > My understanding was that these holes had been closed, and that while there are undoubtedly still some clients out there that allow Host headers to be set, it's not an attractive attack to make now. What's the current state of things? I know a number of places who still use Apache 1.3 + mod_proxy as the front layer for SSL+cache. This component did not have the ProxyPreserveHost directive, and as such, the common deployment model consists in binding it to one IP address and forwarding everything received on that IP to the next hop with a rewritten Host header. I'm realizing that the security there only relies on the host name in the SSL certificate. Once that's said, I wonder if we need to care about the risk of abusing a non-SSL site, which may be abused a number of different ways too. The only difference can lie in mass-attacks, but it's not obvious to me what kind of issues we might face with an uncontrolled server returning contents for a different host. Regards, Willy
Received on Sunday, 17 July 2011 06:15:09 UTC