1997-03-29 - Re: SSL weakness affecting links from pages with GET forms
Header Data
From: “Mark M.” <markm@voicenet.com>
To: Bill Stewart <stewarts@ix.netcom.com>
Message Hash: 6e7d8ea50b250918df0309b3d58f712263e2c4e277f26ad8903fd9075ae4a2db
Message ID: <Pine.LNX.3.95.970329003609.3732A-100000@purple.voicenet.com>
Reply To: <3.0.1.32.19970328195526.0066f3a0@popd.ix.netcom.com>
UTC Datetime: 1997-03-29 05:43:04 UTC
Raw Date: Fri, 28 Mar 1997 21:43:04 -0800 (PST)
Raw message
From: "Mark M." <markm@voicenet.com>
Date: Fri, 28 Mar 1997 21:43:04 -0800 (PST)
To: Bill Stewart <stewarts@ix.netcom.com>
Subject: Re: SSL weakness affecting links from pages with GET forms
In-Reply-To: <3.0.1.32.19970328195526.0066f3a0@popd.ix.netcom.com>
Message-ID: <Pine.LNX.3.95.970329003609.3732A-100000@purple.voicenet.com>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 28 Mar 1997, Bill Stewart wrote:
> http://www.zdnet.com:80/intweek/daily/970327x.html
> has an article about an SSL problem that affects both Netscape
> and MicrosoftIE browsers, leaking "secure" data such as
> credit card numbers from web pages with GET-based SSL forms on it.
> It was discovered by Dan Klein.
>
> There isn't specific detail about how the flaw works,
> but it says that it affects GET forms but not POST.
> Commentary from NS, MS, Gene Spafford, and Steve Bellovin.
>
> "It's like you've gone to the restaurant with your lover," Klein said.
> "The restaurant is there, it's private, yet when you leave the restaurant
> you have the menu in your hand and there's food all over your shirt."
I would guess that this means that Netscape and Explorer send the complete
URL of the page that linked to another site in the "HTTP-REFERER" header in
the clear when SSL is used. The only temporary solution is to use a local web
proxy that removes this header, or, as the article suggests, manually type in
an URL that is linked from a page using SSL. I can't think of too many
situations where one might follow a link to another site immediately after
sending sensitive information, but the contents of the "HTTP-REFERER" header
are often logged, and the log is often world-readable...
>
>
>
> # Thanks; Bill
> # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
> # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
> # (If this is a mailing list, please Cc: me on replies. Thanks.)
>
>
Mark
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv
iQEVAwUBMzytJyzIPc7jvyFpAQE3gAf/frvfAWg44mEeg2AyhxlFKBmmh3yWEtmq
l8np9nTMz20/PHcF2uzDHrpSEcAY2WPcvEvu+57QGelU0H2LoH2qGFNeVisPQURE
9F5gUZvFeyubL9UVLlUoxVIMCumLM+y31zqVaMb8GwwGnHWNcHc1rqnUhchYamiJ
BbU04U3xaF5b5/mMBzKTU/tfTajeIDsAl0dhk0rzvXAMN2n26idoWic39ZzhHnsE
QOOfi4oI8XK4cMbjOKbwnSR7Xbt78800vilyp+mvkfgp/bR6ygougYzYz1s9dNY3
HgGpnuxDzFoHnqlIQ7in3N+QXXzSNh8TiVfU6w3PjoRk3RNZHX+DTQ==
=QOto
-----END PGP SIGNATURE-----
Thread
Return to March 1997
- Return to “Bill Stewart <stewarts@ix.netcom.com>”
Return to ““Mark M.” <markm@voicenet.com>”
- 1997-03-29 (Fri, 28 Mar 1997 19:57:43 -0800 (PST)) - SSL weakness affecting links from pages with GET forms - Bill Stewart <stewarts@ix.netcom.com>
- 1997-03-29 (Fri, 28 Mar 1997 21:43:04 -0800 (PST)) - Re: SSL weakness affecting links from pages with GET forms - “Mark M.” <markm@voicenet.com>