I'm not personally aware of any "https" origins that ignore the "Host" header. I expect that there are a few out there, running buggy custom server software on very small origins, but any widely used HTTP server implementation will have the correct behavior. In particular, any HTTP server implementation that supports virtual-hosting must inspect the Host header to work at all.
--Ben ________________________________ From: DNSOP <[email protected]> on behalf of Viktor Dukhovni <[email protected]> Sent: Saturday, December 2, 2023 1:14 PM To: [email protected] <[email protected]> Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-dane-03.txt !-------------------------------------------------------------------| This Message Is From an External Sender |-------------------------------------------------------------------! > On 29 Nov 2023, at 1:14 pm, Ben Schwartz <[email protected]> wrote: > > This draft is essentially identical to -02 except for the new Appendix A, > which discuss the impact of Unknown Key-Share Attacks: > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-dane-03#name-unknown-key-share-attacks > > I would appreciate more review on that section, which attempts a fairly > tricky security analysis. > > Otherwise, I believe this draft is ready for WGLC (except for the > Acknowledgements section, which still needs to be filled in). Thanks for this work. I have read the draft and on an initial read-through, only found a trivial editorial nit: Section 5.2, second paragraph: s/To prevents the above .../To prevent the above .../ Otherwise, the text looks good. That said, indeed Appendix A deserves more care than an initial read-through. Do you know whether the requirements of https://www.rfc-editor.org/rfc/rfc9110#section-7.4 essentially universally supported by HTTPS (1.1 or later) servers? Or is a non-trivial, perhaps significant, minority of servers that would be vulnerable to UKS despite section 7.4? The non-HTTPS protocols are easier to reason about, and for these I don't expect to need to search for unexplored corner cases. -- Viktor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
