Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That's actually not secure either, for a different reason -- DNS Rebinding exposes localhost-only servers to the outside world through your web browser.

See e.g. https://bugs.chromium.org/p/project-zero/issues/detail?id=14...



This attack is pretty old. Are the browsers still vulnerable to it?

I could not find any definite information, but Firefox has a bug [0] which starts from:

> Browsers implement their own dns cache to prevent an attack known as dns rebinding.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=689835


Yes. You can see that this bug was marked wontfix. Ultimately, it seems that browsers have decided that breaking DNS rebinding breaks an unacceptable number of legitimate use cases.

You can still fix it at your own router/DNS server, though.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: