Set caching HTTP response headers #19
Comments
|
The response headers can be MITM'ed by an attacker since AIA doesn't connect over TLS, but AFAICT the only thing a spoofed caching header can do is DoS things, and anyone who can do a MITM has lots of easier ways of DoSing things. Also see namecoin/ncdns-nsis#87 for a different way this issue can manifest, with a different proposed solution. (I think we should do both solutions, but the one in this issue should be deployed first so that we can hopefully smoke out any remaining AIA cache issues). |
JeremyRand
added a commit
to namecoin/safetlsa
that referenced
this issue
Aug 25, 2021
5575bee Make 1-hour validity period configurable via cflag (Jeremy Rand) Pull request description: This should make it easier to debug namecoin/encaya#19 Top commit has no ACKs. Tree-SHA512: f5d972df7fa360b5e27da04936ffe7c598a50febaf5a4b67333ee7250eaac0d9a23cb162043ccca3a8349c6e35f8147aca3ba014053fd1c9c1738e393b119ffe
JeremyRand
added a commit
to JeremyRand/encaya
that referenced
this issue
Aug 25, 2021
JeremyRand
added a commit
to JeremyRand/encaya
that referenced
this issue
Aug 25, 2021
JeremyRand
added a commit
to JeremyRand/encaya
that referenced
this issue
Aug 25, 2021
JeremyRand
added a commit
to JeremyRand/encaya
that referenced
this issue
Aug 25, 2021
JeremyRand
added a commit
to JeremyRand/encaya
that referenced
this issue
Aug 25, 2021
JeremyRand
added a commit
to JeremyRand/generate_nmc_cert
that referenced
this issue
Aug 25, 2021
Based on CAPI2 logs, it appears that usage of AIA over HTTPS was a contributing factor to namecoin/encaya#19 .
JeremyRand
added a commit
to JeremyRand/generate_nmc_cert
that referenced
this issue
Aug 25, 2021
Based on CAPI2 logs, it appears that usage of AIA over HTTPS was a contributing factor to namecoin/encaya#19 .
JeremyRand
added a commit
to JeremyRand/generate_nmc_cert
that referenced
this issue
Aug 26, 2021
Based on CAPI2 logs, it appears that usage of AIA over HTTPS was a contributing factor to namecoin/encaya#19 .
JeremyRand
added a commit
to namecoin/generate_nmc_cert
that referenced
this issue
Aug 26, 2021
b9f4ad6 Fix goimports warning (Jeremy Rand) 93aa4ba Disable AIA over HTTPS (Jeremy Rand) Pull request description: Based on CAPI2 logs, it appears that usage of AIA over HTTPS was a contributing factor to namecoin/encaya#19 . Top commit has no ACKs. Tree-SHA512: c8077e281cc865f9a05c430c2d100b82f0d33d691c0ac424ef9cd2df38031c40083942fef09aef7e6ab89fa35f0c647b4a69a043224254474ddc65b5fb99e7d2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We are still running into occasional issues where an AIA Parent certificate will be loaded from the CryptNet cache (as opposed to the network) on Windows even though the cached cert has expired. This causes cert validation to fail when revisiting a site that was previously visited some days/weeks ago. This doc insinuates that the cache keeps track of the following response headers:
Last-Modifiedmax-ageinCache-ControlETagThis means we might be able to fix this breakage by including those response headers in Encaya. (Right now, none of them are included by Encaya.)
The text was updated successfully, but these errors were encountered: