1997-03-29 - SSL weakness affecting links from pages with GET forms

Header Data

From: Bill Stewart <stewarts@ix.netcom.com>
To: cryptography@c2.net
Message Hash: 7330ec0e0146c401986ffa10a92a6de4ffc8e1b06ccc2ee1464b48eeb916e36f
Message ID: <3.0.1.32.19970328195526.0066f3a0@popd.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1997-03-29 03:57:43 UTC
Raw Date: Fri, 28 Mar 1997 19:57:43 -0800 (PST)

Raw message

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Fri, 28 Mar 1997 19:57:43 -0800 (PST)
To: cryptography@c2.net
Subject: SSL weakness affecting links from pages with GET forms
Message-ID: <3.0.1.32.19970328195526.0066f3a0@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


http://www.zdnet.com:80/intweek/daily/970327x.html
has an article about an SSL problem that affects both Netscape
and MicrosoftIE browsers, leaking "secure" data such as
credit card numbers from web pages with GET-based SSL forms on it.
It was discovered by Dan Klein.

There isn't specific detail about how the flaw works,
but it says that it affects GET forms but not POST.
Commentary from NS, MS, Gene Spafford, and Steve Bellovin.

   "It's like you've gone to the restaurant with your lover," Klein said. 
   "The restaurant is there, it's private, yet when you leave the restaurant 
   you have the menu in your hand and there's food all over your shirt." 



#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)






Thread