From: Bryan Lyles <lyles@parc.xerox.com>
Date: Mon, 14 Apr 1997 12:34:53 -0700 (PDT)
To: Tom Weinstein <tomw@netscape.com>
Subject: Re: SSL weakness affecting links from pa
In-Reply-To: <3351F2DF.7DC26A1A@netscape.com>
Message-ID: <97Apr14.123346pdt."7904"@thyron.parc.xerox.com>
MIME-Version: 1.0
Content-Type: text/plain


In message <3351F2DF.7DC26A1A@netscape.com>you write:
...
>In the eyes of some, the referer header is a privacy violation.  It
>allows a site to see what site you visited before coming there.  In the
>case of Navigator, we ONLY send the referer header when you click on a
>link.  Not when you select a bookmark.  Not when you type a URL into the
>location field.  This allows web sites to see who links to them.  I
>think that's something that a web author is entitled to know.
>

Tom,

<ignoring personal privacy issues>

I am concerned that the referer field could be a major corporate security 
leak.  In particular, many companies are now using the web for internal 
project documentation.  The URLs often contain project code words or code 
names.  If a project wishes to to establish links to competitors for purposes 
of benchmarking, or to suppliers, the referer field would leak those code 
words and/or project organization.  In most security handbooks this is a 
breach of project security.  

Unfortunately, you (the commercial web community) are creating entitlements 
which the user community is likely to disagree with strongly.  My newspaper 
does not have an entitlement to know which pages I read, the advertisers in 
the newspaper do not have entitlements to the knowledge of which ads I scan.  
Assumption of such entitlements in the web environment will inevitably lead to 
privacy violations, security leaks and legal action.

-Bryan