[460] in cryptography@c2.net mail archive
Re: SSL Browser Vulnerability Discovered
daemon@ATHENA.MIT.EDU (Bill Stewart)
Wed Apr 2 09:53:25 1997
Date: Tue, 01 Apr 1997 22:30:47 -0800
To: risks@CSL.sri.com
From: Bill Stewart <stewarts@ix.netcom.com>
Cc: tomw@netscape.com (Tom Weinstein), cryptography@c2.net
In-Reply-To: <199704020300.TAA08655@slack.lne.com>
GET URLs containing private data get copied into the HTTP-REFERRER field
of any URLs referenced on the page returned by the GET URL, including
explicit references requiring a user click and implicit references
such as IMGs and Counter services. While the Netscape folks think this
is pretty obvious, apparently it's surprising enough to many people
to lead to discussions in RISKS :-) Netscape is already bright enough
to prompt for "Are you sure you want this potentially insecure page?"
when you submit a form from an https: page to a non-https: URL -
perhaps it needs to do this _whenever_ there's a reference
(e.g. for IMGs as well), or at least when the current page's URL
contains a "?". That doesn't eliminate all secret data - a web page
like https://foo.com/projects/future/transmogrifier.html or
https://army.mil/planning/1998/invasions/cuba/ still carries information,
but it's information from the web page author (who can be expected
to think about protecting his own information) rather than the reader.
# Thanks; Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
# (If this is a mailing list, please Cc: me on replies. Thanks.)
