On Tue, Mar 17, 2009 at 2:19 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> Basically: Host header forgery meets interception.
>
> What ideas/patches do we have floating around to solve it? I understand it's
> an old problem.
>
> I'm throwing together a patch to verify the received dst IP is in the rDNS
> for the Host: domain. But that's only raising the bar of difficulty, not
> closing the hole.
It would be interesting to know what the commercial solutions which
claim to be unaffected do to address the issue. Is there any
information available on that?
-- /kinkieReceived on Tue Mar 17 2009 - 13:55:57 MDT
This archive was generated by hypermail 2.2.0 : Wed Mar 18 2009 - 12:00:03 MDT