Sorry....
I misunderstood the question.
Jay Wilson
Internet Manager
Access L.L.C.
HIGH SPEED INTERNET ACCESS FOR BUSINESS
7518 Enterprise Avenue
Germantown, TN. 38138-3802
(901) 869-8001
-----Original Message-----
From: Henrik Nordstrom [mailto:hno@hem.passagen.se]
Sent: Sunday, January 09, 2000 8:19 AM
To: Miguel A.L. Paraz
Cc: squid-users@ircache.net
Subject: Re: IDEA: Stealth Cache
Miguel A.L. Paraz wrote:
> Problem: How can you be sure that the session you capture is complete and
not
> corrupt? Rely on the TCP control information?
TCP contains all verification you need for this.
There is however a serious security warning: Unless you are very careful
about verifying the destination name, users can easily fool the stealth
server to inject false pages into the cache.
Why:
The stealth server will only know the destination IP address. To
reconstruct the server name it must look into the Host: header of the
request data.
How:
By sending a false Host: header in a request to another IP address.
How to avoid:
Make sure that a DNS lookup of the server name returns the same IP
address.
Will not work for:
Load balanced servers returning different IP addresses on different DNS
requests where the other IP addresses is excluded from the DNS response.
-- Henrik Nordstrom Squid hackerReceived on Sun Jan 09 2000 - 13:28:50 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:50:17 MST