Mark Crispin <[EMAIL PROTECTED]> writes: > The question is whether or not it is safe to exempt localhost > connections. Since localhost does not go out over the wire and > hence is internal to the local system, it arguably is not within the > IETF domain to declare compliance. I am comfortable with that > argument; I am not completely sure whether we can assume that > localhost connections are a secure path.
IMHO it depends on how you define "localhost", and how you determine if the connection is to "localhost" or not. Looking up the address for the name "localhost" in DNS and checking if the address match the source address of incoming packets is a very poor idea, for instance.
