[1242] in WWW Security List Archive
Re: E-mail Address in WEB Browser
daemon@ATHENA.MIT.EDU (smb@research.att.com)
Thu Dec 14 23:07:41 1995
From: smb@research.att.com
To: "Robert S. Muhlestein" <robertm@teleport.com>
cc: www-security@ns2.rutgers.edu
Date: Thu, 14 Dec 95 20:14:37 EST
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 14 Dec 1995, Joshua Heling wrote:
Actually, the "From:" header is an optional part of the HTTP
spec that no browser I know chooses to send, in any fashio,
with its requests. The security reason is obvious, but it
seems like it would be relatively easy to add a "Send From
header with HTTP requests" checkbox to the browser prefs.
Then HTTP_FROM would be available for server and CGI use
(although still unconfirmable).
The From: line has also been attacked as an invasion of privacy. Let's
put it like this -- www.playboy.com and www.penthousemag.com are among
the most popular sites on the Web. Lots of people don't like the
existence of a log that could be subpeonaed by, say, Senator Exon.
Not your cup of tea? What about Web sites belonging to extremist
political organizations.
I think Netscrape should have considered this before encouraging
everyone to use "mailto" as a form action element (in the usual
lets-screw-the-standards Netscape way).
Actually, mailto is standard; see RFC 1738. But that's irrelevant, in
the sense that SMTP mail never has been, and never can be, secure --
``authenticated'' is really the proper word -- the way you want. You
don't need Netscape; all you really need is telnet to some random port 25.
And there are more subtle ways to abuse the email system as well.
