Re: #100: DNS Spoofing / Rebinding

Mark Nottingham <mnot@mnot.net> Tue, 19 July 2011 13:02 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4946421F85A3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 Jul 2011 06:02:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.74
X-Spam-Level:
X-Spam-Status: No, score=-9.74 tagged_above=-999 required=5 tests=[AWL=0.859, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YQBT8ghHzqZj for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 Jul 2011 06:02:53 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id D3E3B21F872F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 19 Jul 2011 06:02:53 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Qj9vw-0003RL-Jz for ietf-http-wg-dist@listhub.w3.org; Tue, 19 Jul 2011 13:01:56 +0000
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1Qj9vl-0003QV-4U for ietf-http-wg@listhub.w3.org; Tue, 19 Jul 2011 13:01:45 +0000
Received: from mxout-08.mxes.net ([216.86.168.183]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1Qj9vg-0007e9-U0 for ietf-http-wg@w3.org; Tue, 19 Jul 2011 13:01:45 +0000
Received: from chancetrain-lm.mnot.net (unknown [118.209.98.127]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id F1E4050A6B; Tue, 19 Jul 2011 09:01:16 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <4E228DFA.7000106@lookout.net>
Date: Tue, 19 Jul 2011 23:01:13 +1000
Cc: Amit Klein <aksecurity@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Henrik Nordström <henrik@henriknordstrom.net>, Lisa Dusseault <lisa.dusseault@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A76C046F-4D8A-4AAC-9B30-684B3716505F@mnot.net>
References: <2CE9C4DC-7B6E-4770-A5CE-95BA58DD27CD@mnot.net> <CANEQ_+J3Nq-BO5XE8u+8jWr3E5_Md0mDLbkoxHgHwnygK3jDTg@mail.gmail.com> <7E86BDD3-DD87-4C36-84B2-CA8C577523CA@mnot.net> <4E228DFA.7000106@lookout.net>
To: Chris Weber <chris@lookout.net>
X-Mailer: Apple Mail (2.1084)
Received-SPF: pass client-ip=216.86.168.183; envelope-from=mnot@mnot.net; helo=mxout-08.mxes.net
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1Qj9vg-0007e9-U0 3dae1bfd97dd3c1e2d4de7c8eec440c8
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #100: DNS Spoofing / Rebinding
Archived-At: <http://www.w3.org/mid/A76C046F-4D8A-4AAC-9B30-684B3716505F@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/11036
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1Qj9vw-0003RL-Jz@frink.w3.org>
Resent-Date: Tue, 19 Jul 2011 13:01:56 +0000

Right.

I think my concern at this point is that whatever we put into the spec, it's likely to be outdated fairly soon. I could see publishing a separate RFC (one that updates HTTP) to address this class of problem if/when that's possible; otherwise my gut feeling is that the most we can do is put a warning in that describes the problem, and list some mitigation strategies, stressing that they're not a complete fix.

Make sense?


On 17/07/2011, at 5:23 PM, Chris Weber wrote:

> On 7/16/2011 11:03 PM, Mark Nottingham wrote:
>> My understanding was that these holes had been closed, and that while there are undoubtedly still some clients out there that allow Host headers to be set, it's not an attractive attack to make now. What's the current state of things?
>> 
>> 
>> On 17/07/2011, at 3:48 PM, Amit Klein wrote:
>> 
>>> In the past (and this may re-incarnate) it was possible for clients to
>>> provide arbitrary Host headers with HTTP requests, thus rendering the
>>> Host header verification defense somewhat useless. See e.g.:
>>> http://archive.cert.uni-stuttgart.de/bugtraq/2006/09/msg00090.html
>>> 
>>> 
> 
> Most of these holes have been closed.  Save for the exceptions where similar bugs will probably continue to surface, which is sounds like Amit was alluding to, as something recently did <http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails>.
> 
> Having servers verify the Host header still seems valuable as defense in depth but not as the panacea of course.
> 
> -Chris
> 

--
Mark Nottingham   http://www.mnot.net/