Web Key Directory - HTTP Redirect?
wiktor at metacode.biz
Tue Dec 18 10:03:50 CET 2018
On 18.12.2018 08:09, Werner Koch wrote:
> The example they give is that in the internal network you have an server
> which controls, say, a chemical plant. That server has only IP based
> authentication and allows to open all kind of valves just be a HTTP
> request. Someone inside of example.org sends a mail to an outsider and
> the MUA automatically encrypts to that outsider. In the course of that
> a http request is sent to the outsider's domain and that replies with a
> 302 and a malicious Location header. bang. A bit far-fetched, but we
> better inhibit this.
Yes, agreed, especially that the change doesn't break common redirects (like
bare domain to "www" subdomain etc.)
Still the "has only IP based authentication" problem strikes me as extremely
easy to mount anyway without GnuPG e.g. by embedding <img
src="http://internal/launch-nukes?confirm=yes"> in a webpage or in an e-mail.
Thanks for taking the time to explain the attack!
More information about the Gnupg-devel