[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SSL weakness affecting links from pages with GET forms

has an article about an SSL problem that affects both Netscape
and MicrosoftIE browsers, leaking "secure" data such as
credit card numbers from web pages with GET-based SSL forms on it.
It was discovered by Dan Klein.

There isn't specific detail about how the flaw works,
but it says that it affects GET forms but not POST.
Commentary from NS, MS, Gene Spafford, and Steve Bellovin.

   "It's like you've gone to the restaurant with your lover," Klein said. 
   "The restaurant is there, it's private, yet when you leave the restaurant 
   you have the menu in your hand and there's food all over your shirt." 

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)