I saw this in RFC 6120:
"To reduce the possibility of a denial-of-service attack, (a) the
receiving entity SHOULD NOT close the stream with a <see-other-host/>
stream error until after the confidentiality and integrity of the stream
have been protected via TLS or an equivalent security layer (such as the
SASL GSSAPI mechanism), and (b) the receiving entity MAY have a policy
of following redirects only if it has authenticated the receiving
entity. In addition, the initiating entity SHOULD abort the connection
attempt after a certain number of successive redirects (e.g., at least 2
but no more than 5)."
Does anyone have any clarification to this section and the specific DoS
threat if TLS (or authentication) does not happen before <see-other-host>?
- [Standards] Security Question with <see-other-host>... Mike Wacker
-
