Re: #100: DNS Spoofing / Rebinding
Henrik Nordström <henrik@henriknordstrom.net> Fri, 29 July 2011 23:14 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8134421F8AFF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 29 Jul 2011 16:14:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.999
X-Spam-Level:
X-Spam-Status: No, score=-7.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MANGLED_PILL=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OaBc3E3yP+7v for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 29 Jul 2011 16:14:47 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id E2FD721F8AD3 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 29 Jul 2011 16:14:46 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1QmwFY-0003KB-EY for ietf-http-wg-dist@listhub.w3.org; Fri, 29 Jul 2011 23:13:48 +0000
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <henrik@henriknordstrom.net>) id 1QmwFJ-0003JC-0w for ietf-http-wg@listhub.w3.org; Fri, 29 Jul 2011 23:13:33 +0000
Received: from vps1.henriknordstrom.net ([195.20.207.177]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <henrik@henriknordstrom.net>) id 1QmwFH-0006sw-5U for ietf-http-wg@w3.org; Fri, 29 Jul 2011 23:13:32 +0000
Received: from henriknordstrom.net ([IPv6:2002:51d8:9fb7::1]) by vps1.henriknordstrom.net (8.14.2/8.14.2/Debian-2build1) with ESMTP id p6TND1eE001913; Fri, 29 Jul 2011 23:13:03 GMT
Received: from [IPv6:::1] (localhost [IPv6:::1] (may be forged)) by henriknordstrom.net (8.12.11.20060308/8.12.8) with ESMTP id p6TNCums024201; Sat, 30 Jul 2011 01:12:57 +0200
From: Henrik Nordström <henrik@henriknordstrom.net>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Lisa Dusseault <lisa.dusseault@gmail.com>
Date: Sat, 30 Jul 2011 01:12:56 +0200
In-Reply-To: <2CE9C4DC-7B6E-4770-A5CE-95BA58DD27CD@mnot.net>
References: <2CE9C4DC-7B6E-4770-A5CE-95BA58DD27CD@mnot.net>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.0.2 (3.0.2-3.fc15)
Message-ID: <1311981177.21825.36.camel@henriknordstrom.net>
Mime-Version: 1.0
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (vps1.henriknordstrom.net [IPv6:2a02:750:7::d0a]); Fri, 29 Jul 2011 23:13:03 +0000 (UTC)
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by vps1.henriknordstrom.net id p6TND1eE001913
Received-SPF: none client-ip=195.20.207.177; envelope-from=henrik@henriknordstrom.net; helo=vps1.henriknordstrom.net
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RP_MATCHES_RCVD=-1.192
X-W3C-Scan-Sig: maggie.w3.org 1QmwFH-0006sw-5U b955a6db251b38e39ba6c4436aa4b8e8
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #100: DNS Spoofing / Rebinding
Archived-At: <http://www.w3.org/mid/1311981177.21825.36.camel@henriknordstrom.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/11149
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1QmwFY-0003KB-EY@frink.w3.org>
Resent-Date: Fri, 29 Jul 2011 23:13:48 +0000
sön 2011-07-17 klockan 11:33 +1000 skrev Mark Nottingham:
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/100>
>
> We've had this ticket open for a while now.
>
> Relevant text in our current draft:
> <http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-15#section-11.4>
>
> AIUI DNS pinning is no longer considered an adequate defence against
> rebinding, and the current advice is for servers to verify the Host
> header.
Regarding issue #100, I think it's a proper action to align
specifications with current implementations a bit by dropping the MUST
level requirement from p1 11.4, deleting the following text entirely:
If HTTP clients cache the results of host name lookups in order to
achieve a performance improvement, they MUST observe the TTL
information reported by DNS.
If HTTP clients do not observe this rule, they could be spoofed when
a previously-accessed server's IP address changes. As network
renumbering is expected to become increasingly common [RFC1900], the
possibility of this form of attack will grow. Observing this
requirement thus reduces this potential security vulnerability.
with no replacement or other changes to the text. Leaving it entirely up
to implementations how they cache DNS lookups if they cache. The other
requirements are all SHOULD level leaving the door open to cache if one
want's to.
As already noted the section in general is both bad advice in terms of
security and the opposite of what most client implementations do today.
And in issues like this it's better to be silent than to give bad
advises.
But even with this text deleted the title of the section is questionable
except for the initial paragraph.
For domains using DNSSec the situation is quite different. There
everything said in p1 11.4 is true, secure and technically correct. But
then the title is completely irrelevant.
So here is another proposal. Shorten and rewrite p1 4.2 as follows
Clients using HTTP rely heavily on the Domain Name Service, and
are thus generally prone to security attacks based on the
deliberate misassociation of IP addresses and DNS names not
protected by DNSSec. Clients need to be cautious in assuming the
validity of an IP number/DNS name association unless the
response is protected by DNSSec.
removing all advices on how to (not) to cache DNS responses or any
implications that there is any continuing relation. And in lack of a
usable reference keep silent on the bit of how to be cautious.
Regarding the mentioned Host header validation in p1 4.2 #3, that's not
a new requirement. Been there since 2616 at least. And still most
implementations do have a catch-all default directly violating this.
Regards
Henrik
- #100: DNS Spoofing / Rebinding Mark Nottingham
- Re: #100: DNS Spoofing / Rebinding Amit Klein
- Re: #100: DNS Spoofing / Rebinding Mark Nottingham
- Re: #100: DNS Spoofing / Rebinding Willy Tarreau
- Re: #100: DNS Spoofing / Rebinding Chris Weber
- Re: #100: DNS Spoofing / Rebinding Mark Nottingham
- Re: #100: DNS Spoofing / Rebinding Julian Reschke
- Re: #100: DNS Spoofing / Rebinding Mark Nottingham
- Re: #100: DNS Spoofing / Rebinding Henrik Nordström
- Re: #100: DNS Spoofing / Rebinding Mark Nottingham
- Re: #100: DNS Spoofing / Rebinding Julian Reschke