So someone asked me what users should do, to protect themselves against DNS Rebinding attacks.
That’s when I realized it wasn’t completely obvious to people that XSRF is irrelevant as long as DNS Rebinding exists.
XSRF — Cross Site Request Forgery — deals with the concept that random web sites can in fact cause your browser to make arbitrary GET and POST requests. If you have a home router that will respond to these arbitrary GET/POSTs by, for example, changing its DNS server to an arbitrary location, well, it’s now pretty easy for someone to hijack your network connection.
You go to a website, it reconfigures your router. Not good.
Traditionally, XSRF defenses use the fact that a cross-site request can’t have its response read out by script. So if using a router’s web interface depends on pulling some data out from a login page response, the attacker who can cause a browser to make arbitrary requests can’t do anything.
Except, DNS Rebinding means an attacker can read these responses, because the Same Origin Policy that’s supposed to establish this security boundary is easily bypassed by putting both the home router and the attacker server in the same DNS domain.
So, the #1 thing people need to do to protect themselves against DNS Rebinding — set strong passwords on your home router. Not a single device in the field with a weak password can be safe. Every XSRF defense has been defeated. *sighs*
In other news, this entire class of bugs seems to be attached to an ancient law of security: “Simultaneous access to multiple security domains is hard.” We’re trying to do something very difficult with private content on the web, and given the creakiness of something as essential as the Same Origin Policy, I’m becoming increasingly worried that we’re missing some essential infrastructure here.
That being said, so many people are working together on fixing SOP that the inertia from that effort might well drive further goodness. Cool!