Regarding interim fixes for protecting against Apache Killer (Range Exploit), many system administrators are frustrated whether to ban range completely or to allow a certain number of range. Last Friday, I took the approach of banning HTTP Range Header completely. After discussions with some system administrators, they were of the view that the method of 5 ranges restriction is recommendable. The reason is that Microsoft IIS allows not more than 5 ranges in header and IE browsers are in strict conformance with IIS. That is to say, IE browsers will not send out HTTP headers with more than 5 ranges.
This is sound and reasonable and so I decided to follow the approach.
This is sound and reasonable and so I decided to follow the approach.
It might be argued that why not care Firefox, Chrome, Safari, Opera and mini-browsers in smartphones. The situation is so complicated. There is no perfect answer.
No comments:
Post a Comment