From: Bill Stewart <stewarts@ix.netcom.com>
To: “Phillip M. Hallam-Baker” <hallam@ai.mit.edu>
Message Hash: 6c4626e8060ed18bffb8707a3c6b0a9b350527d01e0232d74d64c5c65fd68960
Message ID: <3.0.1.32.19970418230820.006527d8@popd.ix.netcom.com>
Reply To: <199704182100.RAA19542@life.ai.mit.edu>
UTC Datetime: 1997-04-19 06:12:09 UTC
Raw Date: Fri, 18 Apr 1997 23:12:09 -0700 (PDT)
From: Bill Stewart <stewarts@ix.netcom.com>
Date: Fri, 18 Apr 1997 23:12:09 -0700 (PDT)
To: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
Subject: Re: SSL weakness affecting links from pa
In-Reply-To: <199704182100.RAA19542@life.ai.mit.edu>
Message-ID: <3.0.1.32.19970418230820.006527d8@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
At 05:05 PM 4/18/97 -0400, Phillip M. Hallam-Baker wrote:
>As the person who invented (and mispelt) the referer link I don't
>agree with the arguments made against it.
>The purpose of the referer link is
>to allow servers to collate pages of backlinks.
>This would make the Web browsable in both directions.
...
>Then they started jamming stupid ideas like cookies into the spec,
>ideas that showed all of five minutes thought.
One major problem with these features is that the security
implications become far more complex when you start combining them.
For instance, autoloading images without referer are safe - but
images + referer gives enough information to run doubleclick.
Cookies without referer are pretty safe - but cookies+referer
make cookies far less safe, and doubleclick more effective.
Then you start putting HTML capability in news readers,
and anybody who reads an article with an IMG in it
creates a record for spammers (or Arbitron) to use.
Rich Graves said that if you don't like the feature, take it up with the
folks who wrote the spec - but the RFCs say that Referer needs to
be handled carefully, and should be optional...
>Of course there should be a toggle to allow users to turn off the
>referer field. I tried to get a recomendation to do this put into the
>spec. People then started shouting at me saying that it was impossible
>to enforce and so the recomendation shouldn't be there.
Perhaps too much commercial advertising capability already depended on it?
# Thanks; Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
# (If this is a mailing list, please Cc: me on replies. Thanks.)
Return to April 1997
Return to “Steve <steve@edmweb.com>”