[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] CSRF attack?
From: |
Phil Pennock |
Subject: |
Re: [Sks-devel] CSRF attack? |
Date: |
Sun, 11 Sep 2011 10:48:52 -0400 |
On 2011-09-11 at 11:12 +0200, Jens Leinenbach wrote:
> 1. A user visited http://pool.sks-keyservers.net:80/
> 2. A random SKS server answered with its SKS index page on port 80 by
> accident.
> 3. But when he sent his key to the server, the IP for the domain
> pool.sks-keyservers.net changed in the meantime for him, so that he sent
> (POST request) it to / at port 80 of our server instead of the formerly
> available SKS server. (Shouldn't his browser cache the IP?)
The browser caches the IP, for up to the TTL, and possibly for longer to
prevent DNS rebinding attacks. The TTL on pool.sks-keyservers.net is 8
hours.
However, that only protects against multiple requests to resolve the
hostname. In this case, _one_ DNS request returned _multiple_ IPs, so
each TCP connection will be load-balanced across the returned IPs.
So, someone is serving up a page which requests external resources, on
the vhost which handles pool.sks-keyservers.net on their IP, and some of
the resource requests went to you. This can only be fixed by each
keyserver operator.
There are two solutions:
(1) Explicitly hard-code your own hostname into the URLs for all
resources, but note that this may lead to cross-origin requests.
(2) Issue redirects from the "pool" hostname, to canonicalise them.
I use (2):
----------------------------8< cut here >8------------------------------
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =GET [OR]
RewriteCond %{REQUEST_METHOD} =HEAD
RewriteRule ^(/pks(?:/.*+)?)$ http://sks.spodhuis.org:11371$1
[L,R=permanent]
RewriteCond %{REQUEST_METHOD} =GET [OR]
RewriteCond %{REQUEST_METHOD} =HEAD
RewriteCond %{HTTP_HOST} !^sks\.spodhuis\.org [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^(.*) http://sks.spodhuis.org$1 [R,L,NE]
</IfModule>
----------------------------8< cut here >8------------------------------
The first three RewriteCond/RewriteRule lines deal with a different
problem. The next five deal with this issue.