sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] CSRF attack?

From: Phil Pennock
Subject: Re: [Sks-devel] CSRF attack?
Date: Sun, 11 Sep 2011 10:48:52 -0400 
On 2011-09-11 at 11:12 +0200, Jens Leinenbach wrote:
> 1. A user visited http://pool.sks-keyservers.net:80/
> 2. A random SKS server answered with its SKS index page on port 80 by
> accident.
> 3. But when he sent his key to the server, the IP for the domain
> pool.sks-keyservers.net changed in the meantime for him, so that he sent
> (POST request) it to / at port 80 of our server instead of the formerly
> available SKS server. (Shouldn't his browser cache the IP?)

The browser caches the IP, for up to the TTL, and possibly for longer to
prevent DNS rebinding attacks.  The TTL on pool.sks-keyservers.net is 8
hours.

However, that only protects against multiple requests to resolve the
hostname.  In this case, _one_ DNS request returned _multiple_ IPs, so
each TCP connection will be load-balanced across the returned IPs.

So, someone is serving up a page which requests external resources, on
the vhost which handles pool.sks-keyservers.net on their IP, and some of
the resource requests went to you.  This can only be fixed by each
keyserver operator.

There are two solutions:

(1) Explicitly hard-code your own hostname into the URLs for all
    resources, but note that this may lead to cross-origin requests.
(2) Issue redirects from the "pool" hostname, to canonicalise them.

I use (2):
----------------------------8< cut here >8------------------------------
  <IfModule mod_rewrite.c>
    RewriteEngine       on
    RewriteCond         %{REQUEST_METHOD} =GET          [OR]
    RewriteCond         %{REQUEST_METHOD} =HEAD
    RewriteRule         ^(/pks(?:/.*+)?)$ http://sks.spodhuis.org:11371$1 
[L,R=permanent]
    RewriteCond         %{REQUEST_METHOD} =GET          [OR]
    RewriteCond         %{REQUEST_METHOD} =HEAD
    RewriteCond         %{HTTP_HOST}    !^sks\.spodhuis\.org            [NC]
    RewriteCond         %{HTTP_HOST}    !^$
    RewriteRule         ^(.*)           http://sks.spodhuis.org$1       [R,L,NE]
  </IfModule>
----------------------------8< cut here >8------------------------------

The first three RewriteCond/RewriteRule lines deal with a different
problem.  The next five deal with this issue.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]