[454] in cryptography@c2.net mail archive
Re: SSL weakness affecting links from pages with GET forms
daemon@ATHENA.MIT.EDU (Tom Weinstein)
Tue Apr 1 21:10:45 1997
Date: Tue, 01 Apr 1997 15:58:45 -0800
From: Tom Weinstein <tomw@netscape.com>
To: Bill Stewart <stewarts@ix.netcom.com>
CC: cryptography@c2.net
Bill Stewart wrote:
>
> http://www.zdnet.com:80/intweek/daily/970327x.html
> has an article about an SSL problem that affects both Netscape
> and MicrosoftIE browsers, leaking "secure" data such as
> credit card numbers from web pages with GET-based SSL forms on it.
> It was discovered by Dan Klein.
>
> There isn't specific detail about how the flaw works,
> but it says that it affects GET forms but not POST.
> Commentary from NS, MS, Gene Spafford, and Steve Bellovin.
This is much less serious than the author makes it appear. This is all
about sites that use GET URLs to send credit card information back to
the server. If you then go to another site, the HTTP-Referrer field
contains the credit card number. Duh. I'd be afraid to do business
with any site that was stupid enough to use GET URLs for handling
financial data.
It's not a security hole. That's the way it's supposed to work. The
security hole is in the sites that don't know what the hell they're
doing.
--
You should only break rules of style if you can | Tom Weinstein
coherently explain what you gain by so doing. | tomw@netscape.com
