[1239] in WWW Security List Archive
Re: E-mail Address in WEB Browser
daemon@ATHENA.MIT.EDU (Robert S. Muhlestein)
Thu Dec 14 20:44:41 1995
Date: Thu, 14 Dec 1995 14:09:14 -0800 (PST)
From: "Robert S. Muhlestein" <robertm@teleport.com>
To: Joshua Heling <heling@virtu.sar.usf.edu>
cc: Jonathon Tidswell <t-jont@microsoft.com>, patw@aqmd.gov,
www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SUN.3.91.951214124454.23237A-100000@virtu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 14 Dec 1995, Joshua Heling wrote:
> I must admit I'm surprised that netscape didn't at least do something
> like add a headerfield (X-Originated-From, for example), in cases where
> the user input name and return mail address indicated a different domain
> than they were really in.
Actually, the "From:" header is an optional part of the HTTP spec that no
browser I know chooses to send, in any fashio, with its requests. The
security reason is obvious, but it seems like it would be relatively easy
to add a "Send From header with HTTP requests" checkbox to the browser
prefs. Then HTTP_FROM would be available for server and CGI use (although
still unconfirmable).
I think Netscrape should have considered this before encouraging
everyone to use "mailto" as a form action element (in the usual
lets-screw-the-standards Netscape way).
> However, I think we're looking over perhaps the easiest was to check
> validity - the Recieved: headers on the mail. If I send mail that claims
> to be from martin@martian.org, and you examined the headers, you would
> see that the first machine it traveled through was virtu.sar.usf.edu.
> You would then see it go through a bunch of others, but almost certainly
> *neve* any machine in the martian.org domain. This makes it pretty much
> a dead giveaway.
>
> - --Joshua
>
> Addendum - I say this in the context of web mailto: forms alone,
> really. Of course for more serious or sensitive email, there's
> absolutely no replacement for strong digital signatures and/or encryption.
Ditto.
Robert Muhlestein
Teleport Creative Services
CGI-BIN Programmer
cgi@teleport.com
My comments are mine alone.
