Changeset 1865


Ignore:
Timestamp:
Sep 4, 2012, 8:52:13 PM (7 years ago)
Author:
mnot@…
Message:

Update Security Considerations, as per secdir review.

Location:
draft-ietf-httpbis/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p6-cache.html

    r1864 r1865  
    452452  }
    453453  @bottom-center {
    454        content: "Expires March 8, 2013";
     454       content: "Expires March 9, 2013";
    455455  }
    456456  @bottom-right {
     
    492492      <link href="p5-range.html" rel="prev">
    493493      <link href="p7-auth.html" rel="next">
    494       <meta name="generator" content="http://greenbytes.de/tech/webdav/rfc2629.xslt, Revision 1.588, 2012-08-25 12:28:24, XSLT vendor: SAXON 8.9 from Saxonica http://www.saxonica.com/">
     494      <meta name="generator" content="http://greenbytes.de/tech/webdav/rfc2629.xslt, Revision 1.588, 2012-08-25 12:28:24, XSLT vendor: SAXON 9.1.0.8 from Saxonica http://www.saxonica.com/">
    495495      <link rel="schema.dct" href="http://purl.org/dc/terms/">
    496496      <meta name="dct.creator" content="Fielding, R.">
     
    499499      <meta name="dct.creator" content="Reschke, J. F.">
    500500      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p6-cache-latest">
    501       <meta name="dct.issued" scheme="ISO8601" content="2012-09-04">
     501      <meta name="dct.issued" scheme="ISO8601" content="2012-09-05">
    502502      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    503503      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines requirements on HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.">
     
    525525            </tr>
    526526            <tr>
    527                <td class="left">Expires: March 8, 2013</td>
     527               <td class="left">Expires: March 9, 2013</td>
    528528               <td class="right">M. Nottingham, Editor</td>
    529529            </tr>
     
    542542            <tr>
    543543               <td class="left"></td>
    544                <td class="right">September 4, 2012</td>
     544               <td class="right">September 5, 2012</td>
    545545            </tr>
    546546         </tbody>
     
    568568         in progress”.
    569569      </p>
    570       <p>This Internet-Draft will expire on March 8, 2013.</p>
     570      <p>This Internet-Draft will expire on March 9, 2013.</p>
    571571      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
    572572      <p>Copyright © 2012 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
     
    18401840         as sensitive information.
    18411841      </p>
     1842      <p id="rfc.section.10.p.2">Implementation flaws might allow attackers to insert content into a cache ("cache poisoning"), leading to compromise of clients
     1843         that trust that content. Because of their nature, these attacks are difficult to mitigate.
     1844      </p>
     1845      <p id="rfc.section.10.p.3">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information
     1846         (e.g., authentication credentials) that is thought to be private, exposing it to unauthorised parties.
     1847      </p>
     1848      <p id="rfc.section.10.p.4">Note that the Set-Cookie response header <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header can be (and often is) used to satisfy subsequent requests
     1849         to caches. Servers who wish to control caching of these responses are encouraged to emit appropriate Cache-Control response
     1850         headers.
     1851      </p>
    18421852      <h1 id="rfc.section.11"><a href="#rfc.section.11">11.</a>&nbsp;<a id="acks" href="#acks">Acknowledgments</a></h1>
    18431853      <p id="rfc.section.11.p.1">See <a href="p1-messaging.html#acks" title="Acknowledgments">Section 9</a> of <a href="#Part1" id="rfc.xref.Part1.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>.
     
    18861896      <h2 id="rfc.references.2"><a href="#rfc.section.12.2" id="rfc.section.12.2">12.2</a> Informative References
    18871897      </h2>
    1888       <table>         
     1898      <table>           
    18891899         <tr>
    18901900            <td class="reference"><b id="RFC1305">[RFC1305]</b></td>
     
    19101920            <td class="reference"><b id="RFC5861">[RFC5861]</b></td>
    19111921            <td class="top"><a href="mailto:mnot@yahoo-inc.com" title="Yahoo! Inc.">Nottingham, M.</a>, “<a href="http://tools.ietf.org/html/rfc5861">HTTP Cache-Control Extensions for Stale Content</a>”, RFC&nbsp;5861, April&nbsp;2010.
     1922            </td>
     1923         </tr>
     1924         <tr>
     1925            <td class="reference"><b id="RFC6265">[RFC6265]</b></td>
     1926            <td class="top">Barth, A., “<a href="http://tools.ietf.org/html/rfc6265">HTTP State Management Mechanism</a>”, RFC&nbsp;6265, April&nbsp;2011.
    19121927            </td>
    19131928         </tr>
     
    22482263                     </ul>
    22492264                  </li>
     2265                  <li><em>RFC6265</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC6265.1">10</a>, <a href="#RFC6265"><b>12.2</b></a></li>
    22502266               </ul>
    22512267            </li>
  • draft-ietf-httpbis/latest/p6-cache.xml

    r1864 r1865  
    21702170   need to be protected as sensitive information.
    21712171</t>
     2172<t>
     2173   Implementation flaws might allow attackers to insert content into a cache
     2174   ("cache poisoning"), leading to compromise of clients that trust that
     2175   content. Because of their nature, these attacks are difficult to mitigate.
     2176</t>
     2177<t>
     2178   Likewise, implementation flaws (as well as misunderstanding of cache
     2179   operation) might lead to caching of sensitive information (e.g.,
     2180   authentication credentials) that is thought to be private, exposing it to
     2181   unauthorised parties.
     2182</t>
     2183<t>
     2184   Note that the Set-Cookie response header <xref target="RFC6265"/> does not
     2185   inhibit caching; a cacheable response with a Set-Cookie header can be (and
     2186   often is) used to satisfy subsequent requests to caches. Servers who wish
     2187   to control caching of these responses are encouraged to emit appropriate
     2188   Cache-Control response headers.
     2189</t>
     2190
    21722191</section>
    21732192
     
    24552474    </front>
    24562475    <seriesInfo name='RFC' value='5861' />
     2476  </reference>
     2477
     2478  <reference anchor="RFC6265">
     2479    <front>
     2480      <title>HTTP State Management Mechanism</title>
     2481      <author initials="A." surname="Barth" fullname="A. Barth">
     2482        <organization/>
     2483      </author>
     2484      <date year="2011" month="April"/>
     2485    </front>
     2486    <seriesInfo name="RFC" value="6265"/>
     2487    <format type="TXT" octets="79724" target="http://www.rfc-editor.org/rfc/rfc6265.txt"/>
    24572488  </reference>
    24582489
Note: See TracChangeset for help on using the changeset viewer.