[456] in cryptography@c2.net mail archive
Re: SSL weakness affecting links from pages with GET forms
daemon@ATHENA.MIT.EDU (Eric Murray)
Tue Apr 1 22:38:06 1997
From: Eric Murray <ericm@lne.com>
To: tomw@netscape.com (Tom Weinstein)
Date: Tue, 1 Apr 1997 19:00:34 -0800 (PST)
Cc: stewarts@ix.netcom.com, cryptography@c2.net
In-Reply-To: <3341A135.41C6@netscape.com> from "Tom Weinstein" at Apr 1, 97 03:58:45 pm
Tom Weinstein writes:
>
> Bill Stewart wrote:
> >
> > http://www.zdnet.com:80/intweek/daily/970327x.html
> > has an article about an SSL problem that affects both Netscape
> > and MicrosoftIE browsers, leaking "secure" data such as
> > credit card numbers from web pages with GET-based SSL forms on it.
> > It was discovered by Dan Klein.
> >
> > There isn't specific detail about how the flaw works,
> > but it says that it affects GET forms but not POST.
> > Commentary from NS, MS, Gene Spafford, and Steve Bellovin.
>
> This is much less serious than the author makes it appear.
Not to pick on Dan Klein, but I have seen more than a few
press announcements of security problems that are already
well known. I suppose if you're a consultant, it's good for business
to make such an announcement.
> This is all
> about sites that use GET URLs to send credit card information back to
> the server. If you then go to another site, the HTTP-Referrer field
> contains the credit card number. Duh. I'd be afraid to do business
> with any site that was stupid enough to use GET URLs for handling
> financial data.
Out of curiosity, will there be an option in the browser formerly known
as Mozilla to allow the user to not send a Referrer tag? After cookies
the Referrer is the next thing I'm interested in keeping private.
Speaking of self-serving announcements, my Cookie Jar program
lets you block sending Referrer tags, plus it blocks sending/receiving
cookies or receiving ads. http://www.lne.com/ericm/cookie_jar/
--
Eric Murray ericm@lne.com Network security and encryption consulting.
PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF
