RE: http://www.domainname.com./ (with the ending)

["Wall, Kevin" <Kevin.Wall () qwest com>]

Michael Scovetta writes...

> I don't think this is anything to be concerned about, but I 
> find it odd that some websites (looks like IIS-sites), if you 
> go to http://server./ (with a period appended), you usually 
> get a "no web site configured", or "under construction". I 
> guess the browser ignores the last . and finds the name in 
> DNS, but then puts the . in the Host header. It looks like 
> Apache ignores the . in the host header, so you go wind up 
> seeing http://server/'s content even though the URL says 
> http://server./ 
>
> For instance:
>       http://www.google.com./                 Normal Google page
>       http://www.easyasphosting.com./ 400 - bad request
>       http://www.iviewstudio.com./            404 - File Not 
> Found (or "No web site is configured at this address")
>
> I'd assume that if you have multiple hosts configured, then 
> the . throws it off. 

Looks like you may have stumbled upon a new way (to me at least)
to fingerprint web servers. Anyone know what RFC 2616 (HTTP 1.1 spec)
says the behavior _should_ be for this (if it even mentions it at all).
I gotta run and have no time to look it up now, but intuition says
it should be ignored in the HOST header since its a valid DNS name.

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall () qwest com Phone: 614.215.4788
"The reason you have people breaking into your software all 
over the place is because your software sucks..."
 -- Former whitehouse cybersecurity advisor, Richard Clarke,
    at eWeek Security Summit