- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Wed, 24 Apr 2013 01:40:27 +1200
- To: ietf-http-wg@w3.org
On 23/04/2013 6:02 p.m., Mark Nottingham wrote: > Just wondering if we need to explicitly point out the security considerations around the following: > > * Message routing -- it's somewhat common AIUI for intermediaries to only route on the Host header, for performance reasons; i.e., they do not reconstruct the effective request URI (as required by p1 5.5). I know there's a theoretical risk here, but is there a real-world risk that we should point out? CVE-2009-0801 has active naties out there in the wild. At least two than I'm personally aware of today. I know that CVE is centered around interceptors which you like to avoid mentioning, but regular proxies and gateways can be used by an unsafe interceptor and become vulnerable themselves as a result. Some of the early attempts at a fix replaced the Host with raw-IP from the TCP connection and left the URL with hijacked domain name for example. The take-home risk that should be pointed out is that a malicious client can poison the cache of a regular intermediary by presenting conflicting Host and URL information unless the intermediary utilizes the absolute-URL to protects itself from a mismatch (ie ignore the Host and use the absolute-URL given). Intermediaries that purely do routing are not at risk of this, and if the pathway includes a later caching proxy it somewhat self-heals by whatever mechanism the cache uses to protect itself on receiving the garbage. If you meant security risks when only routing intermediaries are used. I'm not aware of anything current other than the part they play in the above and related problems. Amos
Received on Tuesday, 23 April 2013 13:40:56 UTC