On Mon, Jun 13, 2016 at 6:22 AM, Richard Barnes <[email protected]> wrote: > Thanks for bringing this up. I agree that this would be good to document in > the Security Considerations, or maybe within the Operational Considerations > below. Would you like to take a shot at a PR?
I'll let someone else do it I think, not quite sure how to write it myself. I think I agree with all of Jacob's comments. The spec can probably just suggest to not perform any HTTP requests to Special-Purpose Addresses while following HTTP redirects, unless specifically configured otherwise (such as for an intranet CA). I also realized that you can get similar behavior without using redirects by setting the A record of a domain to point to an internal IP address (though of course you can't control the HTTP path this way). I can't actually see how it would be of any use to an attacker, but it's possible. Making sure the filtering is done at the IP address/network level will fix both. That is, implementations shouldn't fix this only while following redirects, it should be done for all HTTP requests. -- Blake _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
