[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSL weakness affecting links from pages with GET forms
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 28 Mar 1997, Bill Stewart wrote:
> has an article about an SSL problem that affects both Netscape
> and MicrosoftIE browsers, leaking "secure" data such as
> credit card numbers from web pages with GET-based SSL forms on it.
> It was discovered by Dan Klein.
> There isn't specific detail about how the flaw works,
> but it says that it affects GET forms but not POST.
> Commentary from NS, MS, Gene Spafford, and Steve Bellovin.
> "It's like you've gone to the restaurant with your lover," Klein said.
> "The restaurant is there, it's private, yet when you leave the restaurant
> you have the menu in your hand and there's food all over your shirt."
I would guess that this means that Netscape and Explorer send the complete
URL of the page that linked to another site in the "HTTP-REFERER" header in
the clear when SSL is used. The only temporary solution is to use a local web
proxy that removes this header, or, as the article suggests, manually type in
an URL that is linked from a page using SSL. I can't think of too many
situations where one might follow a link to another site immediately after
sending sensitive information, but the contents of the "HTTP-REFERER" header
are often logged, and the log is often world-readable...
> # Thanks; Bill
> # Bill Stewart, +1-415-442-2215 [email protected]
> # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
> # (If this is a mailing list, please Cc: me on replies. Thanks.)
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----