- From: Henrik Nordström <henrik@henriknordstrom.net>
- Date: Mon, 27 Jun 2011 17:54:24 +0200
- To: Gervase Markham <gerv@mozilla.org>
- Cc: public-web-security@w3.org
mån 2011-06-27 klockan 09:14 +0100 skrev Gervase Markham: > Isn't there a risk here? HTTP vhosting exists, but TLS vhosting does not > (really) yet. So the owner of the website which is at > http://www.foo.com/ might find that accessing https://www.foo.com/ > actually gives them the HTML content of https://www.bar.com/, which is > hosted on the same machine, but controlled by someone else entirely. Yes there is a risk. Today the risk is fairly minimal with most sites using https having their own IPv4 address not shared by third party http sites, but the risk is likely to increase in future as IPv4 adresses becomes more scarse. However, in this case the risk is easily mitigated by simply making sure https vhosting is enabled when running https on an IP vhere http vhosting is enabled. Note: A similar but different risk exists in the same-origin policy of Java/Flash sandboxes, where the applet can access any service on the same IP, which means any vhost on that IP. Regards Henrik
Received on Monday, 27 June 2011 15:55:09 UTC