[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SSL weakness affecting links from pages with GET forms

To: [email protected], [email protected]
Subject: SSL weakness affecting links from pages with GET forms
From: Bill Stewart <[email protected]>
Date: Fri, 28 Mar 1997 19:55:26 -0800
Sender: [email protected]

http://www.zdnet.com:80/intweek/daily/970327x.html
has an article about an SSL problem that affects both Netscape
and MicrosoftIE browsers, leaking "secure" data such as
credit card numbers from web pages with GET-based SSL forms on it.
It was discovered by Dan Klein.

There isn't specific detail about how the flaw works,
but it says that it affects GET forms but not POST.
Commentary from NS, MS, Gene Spafford, and Steve Bellovin.

   "It's like you've gone to the restaurant with your lover," Klein said. 
   "The restaurant is there, it's private, yet when you leave the restaurant 
   you have the menu in your hand and there's food all over your shirt." 



#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)

Follow-Ups:
- Re: SSL weakness affecting links from pages with GET forms
  - From: "Mark M." <[email protected]>

Prev by Date: Re: remailer spam throttle
Next by Date: Re: Higher Sources and PGP
Prev by thread: Dilbert on Smartcards
Next by thread: Re: SSL weakness affecting links from pages with GET forms
Index(es):
- Date
- Thread