[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: LYNX-DEV two curiosities from IETF HTTP session.
From: |
Jim Gettys |
Subject: |
RE: LYNX-DEV two curiosities from IETF HTTP session. |
Date: |
Thu, 18 Dec 1997 10:50:57 -0800 |
>
> <snip>
>
> > I think you are confused.... In Rev-01, only an origin server is allowed
> > to generate a 305 response. It is authoritative for that resource, so
> > the spoofing problems don't come up (and is the reason for that text being
> > in the document...)
> >
> And exactly how can the browser tell that it was the origin server that sent
> the 305? And not the untrustworthy proxy in between the client and the
> server?
You can't tell.
>
> I know that normally one trusts one's proxy, but since security issues are
> being raised here, the question needs to be asked.
>
> Paul
You've delegated trust to the proxy. If the trust was misplaced, you have
any/all sort of attacks possible, of which this is far from the most
serious. The best we can do is mitigate the damage, for correct,
and trustworthy implementations. The problem with 306 was that it was
a way to insert a man in the middle, relatively easily, which was
not trustworthy.
- Jim
- Re: LYNX-DEV two curiosities from IETF HTTP session., (continued)
- Re: LYNX-DEV two curiosities from IETF HTTP session., Foteos Macrides, 1997/12/09
- RE: LYNX-DEV two curiosities from IETF HTTP session., Josh Cohen, 1997/12/10
- Re: LYNX-DEV two curiosities from IETF HTTP session., Foteos Macrides, 1997/12/10
- RE: LYNX-DEV two curiosities from IETF HTTP session., Yaron Goland, 1997/12/10
- Re: LYNX-DEV two curiosities from IETF HTTP session., Foteos Macrides, 1997/12/10
- RE: LYNX-DEV two curiosities from IETF HTTP session., Paul Leach, 1997/12/11
- RE: LYNX-DEV two curiosities from IETF HTTP session.,
Jim Gettys <=
- RE: LYNX-DEV two curiosities from IETF HTTP session., Yaron Goland, 1997/12/12