[630] in WWW Security List Archive
Re: HTTP "Referer" field considered harmful
daemon@ATHENA.MIT.EDU (Ned Smith (nedbob))
Tue Apr 25 17:55:14 1995
From: "Ned Smith (nedbob)" <nedbob@sequent.com>
To: "'www-security mailing list'" <www-security@ns2.rutgers.edu>
Date: Tue, 25 Apr 95 10:57:00 PDT
Errors-To: owner-www-security@ns2.rutgers.edu
An observation:
Although in general it's a good policy not to redistribute information
needlessly, there is a fundamental understanding that all traffic on the
Internet is public information. Any server that distributes sensitive
information to a sub-class of trusted individuals necessarily must evaluate
both client and server in the context of the security policy inherent to the
individuals sharing a trust relationship. If client software is trusted to
uphold a common security policy with the server then some tamperproof
mechanism is needed which undeniably proves cooperative trust.
This means the server must identify the browsers that have been evaluated to
support the trust model and those that don't. This potentially could be a
difficult problem since it would require the browser to digitally sign the
executing image of itself for authentication by the server.
Clearly, we have lost sight of the fundamental assumptions of the Internet.
That being, one cannot trust clients to uphold a sites security policy. It
is incumbent on the server to prevent sensitive incidental information from
making its way to the Internet.
With regard to the SATAN password, if ever it was transmitted in the clear
then everybody in the world has it already and it makes no difference if
some other site gets to read it from a browser.
It has been said that the http spec says:
"Note: Because the source of a link may be considered private
information or may reveal an otherwise secure information
source, it is strongly recommended that the user be able to
^^^^^^^^^
select whether or not the Referrer field is sent. For
example, a browser client could have a toggle switch for
browsing openly/anonymously, which would respectively
enable/disable the sending of Referrer and From information."
The fact that adherence to the security policy is discretionary should
suggest to any security administrator that they cannot trust their sensitive
information will be dealt with appropriately by a 3rd party's software.
Best Regards,
Ned Smith
nedbob@sequent.com
-----------------------------------------------------------------
|> It appears to me that this should cause no-one any worries about any form
|> of security. Netscape (I haven't tested other browsers) just sets these
|> two variable to the last page that it visited.
|
| But even having that last page can reveal things, ala the SATAN password,
|or even just the names of machines on your internal net that you do not
|want known to the outside world, or even parts of the filesystem, etc.
|
|-Bill P.
|
