I have a proposal for a cross domain security framework that i think should be implemented in browsers, java applets, flash applets and more.
The problem: If browsers could connect freely to whichever IP-address they want, then a simple ad on a highly popular website can be used to trigger massive DDOS attacks or distributed brute force password attacks etc. The challenge: The owner of the server that receives incoming connections must be able to decide who is able to connect. The tools available: The browser. The server. DNS servers. The method: The browser always know where it downloaded any given script or applet. It also know which IP-address or host-name the script wants to connect to. The browser should perform the following check to make sure that the given script is allowed to connect: 1. Browser downloads a script from server A. 2. Script tries to connect to server B. 3. Browser looks up server B's IP-address. 4. Browser performs a reverse lookup of server B's IP-address and gets a host name for the server. 5. Browser looks up a special TXT record in the DNS record for Server B, which states each of the IP addresses/host names that can hosts scripts allowed to connect. DNS records are cached multiple places (including at the local computer), so a DDOS attack attempting to take down DNS servers probably not succeed. What do you think? Best regards, Frode Børli Seria AS, Norway
