Libravatar (obsolete)

Disable the fallback virtual host

Bug #1390054 reported by François Marier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar (obsolete)
Confirmed
Medium
Unassigned

Bug Description

As described in this paper (also attached here):

  https://www.blackhat.com/docs/us-14/materials/us-14-Delignat-The-BEAST-Wins-Again-Why-TLS-Keeps-Failing-To-Protect-HTTP-wp.pdf

the automatic fallback to the default Apache vhost can be used to exploit flaws in TLS.

We should try to disable the default fallback vhost and always return 400 when clients request an invalid vhost.

Tags: security tls
Revision history for this message
François Marier (fmarier) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.