On 19/06/12 17:24, Zack Weinberg wrote: > I think we do need our own DNS resolver eventually (mostly because > DNSSEC) but it's not necessary for this. We'd just have to refuse to do > the DNS query at all for URLs whose hostname component did not contain a > dot, and/or which was equal to or a suffix of an entry in the public > suffix list.
Er, I'm confused. If I type "http://email/" into my browser, you are saying we should refuse to do a DNS query? How do I then reach my intranet site? I'm fairly sure some intranet sites _only_ have a single-word name. > This would also entail implementing our own *suffix search* logic to > replace the logic built into gethostbyname/getaddrinfo, so that we > didn't break the aforementioned intranet sites. Can we tell those calls not to do their own suffix search before they return their answer? > I think there's a case > for doing that independent of whether we reject top-level A(AAA) > records: the security problem arises because an external entity changes > the meaning of an organization-internal URL, and we could fix that by > doing suffix search *first*. I suspect, with no evidence, that this might break things... > (Alternatively we could disable suffix search altogether and see how > much screaming there is.) Surely ("don't call me Shirley!") it would be enormous amounts of screaming? Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security