1997-04-14 - Re: SSL weakness affecting links from pa

Header Data

From: Tom Weinstein <tomw@netscape.com>
To: toto@sk.sympatico.ca
Message Hash: 77629e8edd8b1e4e7e39162ed605100d681870e555d38af125a5479f0ed82a9e
Message ID: <3351F2DF.7DC26A1A@netscape.com>
Reply To: <3.0.1.32.19970411230142.00643490@popd.ix.netcom.com>
UTC Datetime: 1997-04-14 09:04:06 UTC
Raw Date: Mon, 14 Apr 1997 02:04:06 -0700 (PDT)

Raw message

From: Tom Weinstein <tomw@netscape.com>
Date: Mon, 14 Apr 1997 02:04:06 -0700 (PDT)
To: toto@sk.sympatico.ca
Subject: Re: SSL weakness affecting links from pa
In-Reply-To: <3.0.1.32.19970411230142.00643490@popd.ix.netcom.com>
Message-ID: <3351F2DF.7DC26A1A@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain


Toto wrote:
> 
> [ long rant deleted ]

I'm just going to reply to what I think it the real substance of your
argument.  If I got the wrong piece, I'm sure you'll tell me.

> Let's get real, here. Corporations add capabilities to their programs
> that allow themselves and other 'major players' to have their way with
> the user.
>   When Joe Average, or a hacker/spammer takes advantage of the same
> capability, then the vendors claim it is a 'bug', or that they can't
> be blamed for the 'bad guys' use of this built-in function.

This particular feature (the HTTP referer header) has nothing to do with
corporations "having their way" with users.  It was created so that web
authors could put "back" buttons on their pages.  The security problem
arises when stupid CGI authors use GET forms to transfer sensitive
information.  This is a security hole in the web site, not in the
browser.  The browser follows the HTTP specification.  If you have a
problem with that, contact the author of that specification.  Or, better
yet, contact the web site (as far as I know, there are none) that has
this security hole.

The only "bad guys" are the web sites that you are giving your private
information to.  If you trust them enough to give them your information
in the first place, shouldn't you trust them not to give it away by
using a GET form?

In the eyes of some, the referer header is a privacy violation.  It
allows a site to see what site you visited before coming there.  In the
case of Navigator, we ONLY send the referer header when you click on a
link.  Not when you select a bookmark.  Not when you type a URL into the
location field.  This allows web sites to see who links to them.  I
think that's something that a web author is entitled to know.

So, you think we're doing something bad.  Why don't you tell me what
you think we should do?

-- 
You should only break rules of style if you can    | Tom Weinstein
coherently explain what you gain by so doing.      | tomw@netscape.com





Thread