[624] in WWW Security List Archive
Re: HTTP "Referer" field considered harmful
daemon@ATHENA.MIT.EDU (Goran Oberg)
Tue Apr 25 07:22:09 1995
To: wmperry@spry.com
Cc: Paul Phillips <psphilli@sdcc8.UCSD.EDU>, www-security@ns2.rutgers.edu,
Goran.Oberg@dc.luth.se
In-Reply-To: Your message of "Mon, 24 Apr 1995 18:42:00 PDT."
<m0s3ZeL-00000EC@monolith>
Date: Tue, 25 Apr 1995 10:08:24 +0200
From: Goran Oberg <Goran.Oberg@dc.luth.se>
Errors-To: owner-www-security@ns2.rutgers.edu
To omit everything after a question mark would not solve the problem. It
could give a false sense of security and that's something I think we should
try to stay clear of.
In the case of SATAN it wouldn't do any good as SATAN URLs are in the form
http://<localhost>:<unknown_high_port_number>/<unknown_magic_cookie>/<path>
and would be revealed all the same. So anyone running SATAN using the WWW-
interface shouldn't connect to other servers in the midst of a SATAN-session.
Wkr
/G
PS. s/SATAN/SANTA/g if ( $OFFENDED ); (-:
> > The http spec has (and has had) this to say about it:
> >
> > Note: Because the source of a link may be considered private
> > information or may reveal an otherwise secure information
> > source, it is strongly recommended that the user be able to
> > select whether or not the Referer field is sent. For
> > example, a browser client could have a toggle switch for
> > browsing openly/anonymously, which would respectively
> > enable/disable the sending of Referer and From information.
> >
> > I am unaware of any browsers that implement this option (not to say that
> > none do, but if it exists on any that I use, it's well hidden.) This is
> > far from a complete solution, because it relies on the user not to
> > redistribute the URL rather than keeping it under the control of the
> > server. It is part and parcel in the protocol that the user must know the
> > URL, though, because the browser had to open to it in the first place.
> > Thus you are correct that assuming a URL will remain secret is inherently
> > insecure.
>
> One way to get around this would be to say that browsers should never
> send the 'query' part of a URL in a Referer: field.
>
> -Bill P.
--
Gvran Vberg University of Lulee, SWEDEN Student MSc CS
Kerhusvdgen 5:414 <URL:http://www.luth.se/~goggi/> Adm./CoAdm. of
S-977 54 Lulee Goran.Oberg@dc.luth.se {www,wais,ftp,gopher}.luth.se
______________________________________________________________________________
