[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL weakness affecting links from pa



At 05:05 PM 4/18/97 -0400, Phillip M. Hallam-Baker wrote:
>As the person who invented (and mispelt) the referer link I don't
>agree with the arguments made against it. 
>The purpose of the referer link is
>to allow servers to collate pages of backlinks.
>This would make the Web browsable in both directions.
...
>Then they started jamming stupid ideas like cookies into the spec,
>ideas that showed all of five minutes thought.

One major problem with these features is that the security
implications become far more complex when you start combining them.
For instance, autoloading images without referer are safe - but
images + referer gives enough information to run doubleclick.
Cookies without referer are pretty safe - but cookies+referer
make cookies far less safe, and doubleclick more effective.

Then you start putting HTML capability in news readers,
and anybody who reads an article with an IMG in it
creates a record for spammers (or Arbitron) to use.

Rich Graves said that if you don't like the feature, take it up with the 
folks who wrote the spec - but the RFCs say that Referer needs to
be handled carefully, and should be optional...

>Of course there should be a toggle to allow users to turn off the 
>referer field. I tried to get a recomendation to do this put into the
>spec. People then started shouting at me saying that it was impossible
>to enforce and so the recomendation shouldn't be there. 

Perhaps too much commercial advertising capability already depended on it?


#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)