On 2012-06-20 3:44 AM, Gervase Markham wrote:
On 19/06/12 17:24, Zack Weinberg wrote:
Er, I'm confused. If I type "http://email/"; into my browser, you are
saying we should refuse to do a DNS query? How do I then reach my
intranet site? I'm fairly sure some intranet sites _only_ have a
single-word name.
Ugh, you're right; I forgot about /etc/hosts and WINS names.
There might be something clever we can do to detect these, but I'm not
sure what it would be offhand; the operating system APIs I know about
are deliberately designed to hide the details of where the names come
from :-(
This would also entail implementing our own *suffix search* logic
to replace the logic built into gethostbyname/getaddrinfo, so that
we didn't break the aforementioned intranet sites.
Can we tell those calls not to do their own suffix search before
they return their answer?
Yes, we just stick an extra dot on the end before calling getaddrinfo.
I think there's a case for doing that independent of whether we
reject top-level A(AAA) records: the security problem arises
because an external entity changes the meaning of an
organization-internal URL, and we could fix that by doing suffix
search *first*.
I suspect, with no evidence, that this might break things...
It's certainly possible, e.g. http://example.cc/ where `cc` is both a
real TLD and an internal subdomain.
I confess I see this as another argument for disabling suffix search
altogether. It breaks *more*, but we get a substantial reduction in
context-dependence of URLs in exchange.
(Alternatively we could disable suffix search altogether and see
how much screaming there is.)
Surely ("don't call me Shirley!") it would be enormous amounts of
screaming?
My intuition says it would be large, but perhaps not too large, and I
wouldn't want to do anything without real data.
Which we could collect: instrument the DNS resolver to tell us when the
result we got was from suffix search, count the number of times it
happens, report via Telemetry (we don't record the names, so this should
be plenty anonymous). Algorithm for telling:
rA = getaddrinfo(name + ".");
if (rA) return rA;
rB = getaddrinfo(name);
if (rB)
suffix_search++;
return rB;
No additional overhead in the non-suffix-search case.
zw
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
