1997-04-11 - Re: SSL weakness affecting links from pa

Header Data

From: ARTURO GRAPA YSUNZA <AGRAPA@banamex.com>
To: Bill Stewart <markm@voicenet.com>
Message Hash: e750d73954918b7187feb9a5f9b3d53cc4876f7b3e8a0ddb8ed00e9a9c763c72
Message ID: <c=MX%a=%p=BANACCI%l=CENTRALES/BARRANCA24/00015C5B@mex3976bcaop1.banamex.com>
Reply To: _N/A

UTC Datetime: 1997-04-11 21:30:08 UTC
Raw Date: Fri, 11 Apr 1997 14:30:08 -0700 (PDT)

Raw message

From: ARTURO GRAPA YSUNZA <AGRAPA@banamex.com>
Date: Fri, 11 Apr 1997 14:30:08 -0700 (PDT)
To: Bill Stewart <markm@voicenet.com>
Subject: Re: SSL weakness affecting links from pa
Message-ID: <c=MX%a=_%p=BANACCI%l=CENTRALES/BARRANCA24/00015C5B@mex3976bcaop1.banamex.com>
MIME-Version: 1.0
Content-Type: text/plain



See http://www.Microsoft.com/security/

under "Credit Card Security Concerns and Microsoft's Response"

for Microsoft's response on the SSL GET/POST weakness. ¿Any opinions?

Art Grapa
agrapa@banamex.com

 ----------
From: Mark M.
To: ARTURO GRAPA YSUNZA; Bill Stewart
Cc: cypherpunks@toad.com; cryptography@c2.net
Subject: Re: SSL weakness affecting links from pa
Date: Saturday, March 29, 1997 1:11AM

Microsoft Mail v3.0 IPM.Microsoft Mail.Note
De: Mark M.
Para:  ARTURO GRAPA YSUNZA
     Bill Stewart
Cc:  cypherpunks@toad.com
     cryptography@c2.net
Asunto:  Re: SSL weakness affecting links from pa
Fecha: 1997-03-29 01:11
Prioridad: 3
Ident. del mensaje: 83A07AD005A0D011AF8C006097838CEB

 -----------------------------------------------------------------------
----- --

 -----BEGIN PGP SIGNED MESSAGE-----

On Fri, 28 Mar 1997, Bill Stewart wrote:

> http://www.zdnet.com:80/intweek/daily/970327x.html
> has an article about an SSL problem that affects both Netscape
> and MicrosoftIE browsers, leaking "secure" data such as
> credit card numbers from web pages with GET-based SSL forms on it.
> It was discovered by Dan Klein.
>
> There isn't specific detail about how the flaw works,
> but it says that it affects GET forms but not POST.
> Commentary from NS, MS, Gene Spafford, and Steve Bellovin.
>
>    "It's like you've gone to the restaurant with your lover," Klein said.

>    "The restaurant is there, it's private, yet when you leave the
restaurant
>    you have the menu in your hand and there's food all over your shirt."

I would guess that this means that Netscape and Explorer send the
complete
URL of the page that linked to another site in the "HTTP-REFERER" header
in
the clear when SSL is used.  The only temporary solution is to use a
local
web
proxy that removes this header, or, as the article suggests, manually
type
in
an URL that is linked from a page using SSL.  I can't think of too many
situations where one might follow a link to another site immediately
after
sending sensitive information, but the contents of the "HTTP-REFERER"
header
are often logged, and the log is often world-readable...

>
>
>
> #			Thanks;  Bill
> # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
> # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
> #     (If this is a mailing list, please Cc: me on replies.  Thanks.)
>
>


Mark
 -----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQEVAwUBMzytJyzIPc7jvyFpAQE3gAf/frvfAWg44mEeg2AyhxlFKBmmh3yWEtmq
l8np9nTMz20/PHcF2uzDHrpSEcAY2WPcvEvu+57QGelU0H2LoH2qGFNeVisPQURE
9F5gUZvFeyubL9UVLlUoxVIMCumLM+y31zqVaMb8GwwGnHWNcHc1rqnUhchYamiJ
BbU04U3xaF5b5/mMBzKTU/tfTajeIDsAl0dhk0rzvXAMN2n26idoWic39ZzhHnsE
QOOfi4oI8XK4cMbjOKbwnSR7Xbt78800vilyp+mvkfgp/bR6ygougYzYz1s9dNY3
HgGpnuxDzFoHnqlIQ7in3N+QXXzSNh8TiVfU6w3PjoRk3RNZHX+DTQ==
=QOto
 -----END PGP SIGNATURE-----






Thread