1997-04-14 - Re: SSL weakness affecting links from pa

Header Data

From: Bryan Lyles <lyles@parc.xerox.com>
To: Tom Weinstein <tomw@netscape.com>
Message Hash: e72dbf73958ed2333689763cb5ac05899f3880655bb176bb00566339d0b9f745
Message ID: <97Apr14.123346pdt.”7904”@thyron.parc.xerox.com>
Reply To: <3351F2DF.7DC26A1A@netscape.com>
UTC Datetime: 1997-04-14 19:34:53 UTC
Raw Date: Mon, 14 Apr 1997 12:34:53 -0700 (PDT)

Raw message

From: Bryan Lyles <lyles@parc.xerox.com>
Date: Mon, 14 Apr 1997 12:34:53 -0700 (PDT)
To: Tom Weinstein <tomw@netscape.com>
Subject: Re: SSL weakness affecting links from pa
In-Reply-To: <3351F2DF.7DC26A1A@netscape.com>
Message-ID: <97Apr14.123346pdt."7904"@thyron.parc.xerox.com>
MIME-Version: 1.0
Content-Type: text/plain


In message <3351F2DF.7DC26A1A@netscape.com>you write:
...
>In the eyes of some, the referer header is a privacy violation.  It
>allows a site to see what site you visited before coming there.  In the
>case of Navigator, we ONLY send the referer header when you click on a
>link.  Not when you select a bookmark.  Not when you type a URL into the
>location field.  This allows web sites to see who links to them.  I
>think that's something that a web author is entitled to know.
>

Tom,

<ignoring personal privacy issues>

I am concerned that the referer field could be a major corporate security 
leak.  In particular, many companies are now using the web for internal 
project documentation.  The URLs often contain project code words or code 
names.  If a project wishes to to establish links to competitors for purposes 
of benchmarking, or to suppliers, the referer field would leak those code 
words and/or project organization.  In most security handbooks this is a 
breach of project security.  

Unfortunately, you (the commercial web community) are creating entitlements 
which the user community is likely to disagree with strongly.  My newspaper 
does not have an entitlement to know which pages I read, the advertisers in 
the newspaper do not have entitlements to the knowledge of which ads I scan.  
Assumption of such entitlements in the web environment will inevitably lead to 
privacy violations, security leaks and legal action.

-Bryan







Thread