- From: Frode Børli <frode@seria.no>
- Date: Fri, 20 Jun 2008 13:52:21 +0200
I have a proposal for a cross domain security framework that i think should be implemented in browsers, java applets, flash applets and more. The problem: If browsers could connect freely to whichever IP-address they want, then a simple ad on a highly popular website can be used to trigger massive DDOS attacks or distributed brute force password attacks etc. The challenge: The owner of the server that receives incoming connections must be able to decide who is able to connect. The tools available: The browser. The server. DNS servers. The method: The browser always know where it downloaded any given script or applet. It also know which IP-address or host-name the script wants to connect to. The browser should perform the following check to make sure that the given script is allowed to connect: 1. Browser downloads a script from server A. 2. Script tries to connect to server B. 3. Browser looks up server B's IP-address. 4. Browser performs a reverse lookup of server B's IP-address and gets a host name for the server. 5. Browser looks up a special TXT record in the DNS record for Server B, which states each of the IP addresses/host names that can hosts scripts allowed to connect. DNS records are cached multiple places (including at the local computer), so a DDOS attack attempting to take down DNS servers probably not succeed. What do you think? Best regards, Frode B?rli Seria AS, Norway
Received on Friday, 20 June 2008 04:52:21 UTC