Apache Killer again

Regarding interim fixes for protecting against Apache Killer (Range Exploit), many system administrators are frustrated whether to ban range completely or to allow a certain number of range.  Last Friday, I took the approach of banning HTTP Range Header completely.  After discussions with some system administrators, they were of the view that the method of 5 ranges restriction is recommendable. The reason is that Microsoft IIS allows not more than 5 ranges in header and IE browsers are in strict conformance with IIS. That is to say, IE browsers will not send out HTTP headers with more than 5 ranges.

This is sound and reasonable and so I decided to follow the approach.

It might be argued that why not care Firefox, Chrome, Safari, Opera and mini-browsers in smartphones. The situation is so complicated. There is no perfect answer.

No comments: