1997-04-18 - Re: SSL weakness affecting links from pa
Header Data
From: “Phillip M. Hallam-Baker” <hallam@ai.mit.edu>
To: “Wesley Felter” <wesf@mail.utexas.edu>
Message Hash: fc22f771efb14cf0329884f00864c0b07b5cb4b1d4f3275e3abd05a219e29c4c
Message ID: <199704182100.RAA19542@life.ai.mit.edu>
Reply To: N/A
UTC Datetime: 1997-04-18 21:00:14 UTC
Raw Date: Fri, 18 Apr 1997 14:00:14 -0700 (PDT)
Raw message
From: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
Date: Fri, 18 Apr 1997 14:00:14 -0700 (PDT)
To: "Wesley Felter" <wesf@mail.utexas.edu>
Subject: Re: SSL weakness affecting links from pa
Message-ID: <199704182100.RAA19542@life.ai.mit.edu>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="Boundary..3953.1071713693.multipart/signed"
--Boundary..3953.1071713693.multipart/signed
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
As the person who invented (and mispelt) the referer link I don't
agree
with the arguments made against it. The purpose of the referer link is
to allow servers to collate pages of backlinks. This would make the
Web browsable in both directions.
I could never understand why Netscape supported the facility in the
browser without also supporting the capture functionality in the
server. Its a simple matter to add support but they seem uninterested.
Of course there should be a toggle to allow users to turn off the
referer field. I tried to get a recomendation to do this put into the
spec. People then started shouting at me saying that it was impossible
to enforce and so the recomendation shouldn't be there. Quite
what the relevance of 'encforcement' is I don't know.
Then they started jamming stupid ideas like cookies into the spec,
ideas that showed all of five minutes thought.
>Which was my original point. I'd even be willing to *pay* for a cert,
but
>not more than about $15. I just find it odd that I can get SSL server
>software for cheaper than I can get a license to operate said
software.
>Hey Verisign, why don't you offer a Class 1 server certificate?
The manner in which SSL is designed means that it requires a degree
of trust in the certificate. Allowing the browser to automatically
accept
a class 1 cert would be somewhat foolhardy. Because someone put
that damn key on the bottom of the browser some people expect there
to be security. Instead they get encryption which ain'tquite the same
thing.
There is nothing to stop you using a non standard cert with SSL
however.
I use Apache with a cert I wrote myself.
Phill
--Boundary..3953.1071713693.multipart/signed
Content-Type: application/octet-stream; name="bin00002.bin"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="bin00002.bin"
Content-Description: "smime.p7s"
MIIGVAYJKoZIhvcNAQcCoIIGRTCCBkECAQExCzAJBgUrDgMCGgUAMAsGCSqG
SIb3DQEHAaCCBUMwggU/MIIEqKADAgECAhBhQxVohIHU1aLeK14myavFMA0G
CSqGSIb3DQEBBAUAMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5W
ZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAt
IEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA0MTAwMDAwMDBaFw05ODA0
MTAyMzU5NTlaMIIBGzERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl
cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0g
SW5kaXZpZHVhbCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24u
Y29tL3JlcG9zaXRvcnkvQ1BTIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChj
KTk2MScwJQYDVQQLEx5EaWdpdGFsIElEIENsYXNzIDEgLSBNaWNyb3NvZnQx
JDAiBgNVBAMTG1BoaWxsaXAgTWFydGluIEhhbGxhbS1CYWtlcjEgMB4GCSqG
SIb3DQEJARYRaGFsbGFtQGFpLm1pdC5lZHUwXDANBgkqhkiG9w0BAQEFAANL
ADBIAkEAn1xytd7KYvG9xC2rzkxgAmoQLavzeX5JhSRifuyeS0Ib8m4juKZA
+SM6K+C8PAt+nfRu2/QtDFlS6KRs/ty8rQIDAQABo4ICfTCCAnkwCQYDVR0T
BAIwADCCAh8GA1UdAwSCAhYwggISMIICDjCCAgoGC2CGSAGG+EUBBwEBMIIB
+RaCAadUaGlzIGNlcnRpZmljYXRlIGluY29ycG9yYXRlcyBieSByZWZlcmVu
Y2UsIGFuZCBpdHMgdXNlIGlzIHN0cmljdGx5IHN1YmplY3QgdG8sIHRoZSBW
ZXJpU2lnbiBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BT
KSwgYXZhaWxhYmxlIGF0OiBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vQ1BT
OyBieSBFLW1haWwgYXQgQ1BTLXJlcXVlc3RzQHZlcmlzaWduLmNvbTsgb3Ig
YnkgbWFpbCBhdCBWZXJpU2lnbiwgSW5jLiwgMjU5MyBDb2FzdCBBdmUuLCBN
b3VudGFpbiBWaWV3LCBDQSA5NDA0MyBVU0EgVGVsLiArMSAoNDE1KSA5NjEt
ODgzMCBDb3B5cmlnaHQgKGMpIDE5OTYgVmVyaVNpZ24sIEluYy4gIEFsbCBS
aWdodHMgUmVzZXJ2ZWQuIENFUlRBSU4gV0FSUkFOVElFUyBESVNDTEFJTUVE
IGFuZCBMSUFCSUxJVFkgTElNSVRFRC6gDgYMYIZIAYb4RQEHAQEBoQ4GDGCG
SAGG+EUBBwEBAjAsMCoWKGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBv
c2l0b3J5L0NQUyAwEQYJYIZIAYb4QgEBBAQDAgeAMDYGCWCGSAGG+EIBCAQp
FidodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9DUFMwDQYJ
KoZIhvcNAQEEBQADgYEAJh3+fz9jUp3TQecpDPMYoZLUJ42ncGftpS00xNE8
ILttcpp9CPSB38TMpr0JIyetRoMCB6M4Sq5IrNadWE/Ot5Rj//x8GjP5f2UW
jZnenvCgSGbZdy0d0j+9jk9O+sDZ2f7fKCMYabUDVatyJfIhLVlxuXChUKdi
CiEiUEjOtnUxgdowgdcCAQEwdjBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUG
A1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNz
IDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEGFDFWiEgdTVot4rXibJ
q8UwCQYFKw4DAhoFADANBgkqhkiG9w0BAQEFAARAQmqA2pordFdnUCnmwwPj
SIdO2oV2PAMP7Tyausy8lQ225rFtz2ScGb5ELn9IocyhaJZvnLX1c71Jkd43
tI9Pyw==
--Boundary..3953.1071713693.multipart/signed--
Thread
Return to April 1997
- Return to “Adam Shostack <adam@homeport.org>”
- Return to “Bill Stewart <stewarts@ix.netcom.com>”
- Return to “dlv@bwalk.dm.com (Dr.Dimitri Vulis KOTM)”
- Return to “Eric Murray <ericm@lne.com>”
- Return to “Jeremiah A Blatz <jer+@andrew.cmu.edu>”
- Return to “John Deters <jad@dsddhc.com>”
- Return to ““Phillip M. Hallam-Baker” <hallam@ai.mit.edu>”
- Return to “Rachel Willmer <rachel@intertrader.com>”
Return to “Steve <steve@edmweb.com>”
- 1997-04-18 (Fri, 18 Apr 1997 14:00:14 -0700 (PDT)) - Re: SSL weakness affecting links from pa - “Phillip M. Hallam-Baker” <hallam@ai.mit.edu>
- 1997-04-19 (Fri, 18 Apr 1997 18:00:12 -0700 (PDT)) - Re: SSL weakness affecting links from pa - dlv@bwalk.dm.com (Dr.Dimitri Vulis KOTM)
- 1997-04-19 (Fri, 18 Apr 1997 23:12:09 -0700 (PDT)) - Re: SSL weakness affecting links from pa - Bill Stewart <stewarts@ix.netcom.com>
- 1997-04-19 (Sat, 19 Apr 1997 07:38:49 -0700 (PDT)) - Re: SSL weakness affecting links from pa - Adam Shostack <adam@homeport.org>
- 1997-04-19 (Sat, 19 Apr 1997 13:39:24 -0700 (PDT)) - Re: SSL weakness affecting links from pa - Steve <steve@edmweb.com>
- 1997-04-20 (Sun, 20 Apr 1997 13:35:33 -0700 (PDT)) - Re: SSL weakness affecting links from pa - Adam Shostack <adam@homeport.org>
- 1997-04-21 (Sun, 20 Apr 1997 19:23:01 -0700 (PDT)) - Re: SSL weakness affecting links from pa - Eric Murray <ericm@lne.com>
- 1997-04-21 (Sun, 20 Apr 1997 19:35:40 -0700 (PDT)) - Re: SSL weakness affecting links from pa - Adam Shostack <adam@homeport.org>
- 1997-04-21 (Sun, 20 Apr 1997 20:13:21 -0700 (PDT)) - Re: SSL weakness affecting links from pa - Jeremiah A Blatz <jer+@andrew.cmu.edu>
- 1997-04-21 (Sun, 20 Apr 1997 19:23:01 -0700 (PDT)) - Re: SSL weakness affecting links from pa - Eric Murray <ericm@lne.com>
- 1997-04-21 (Mon, 21 Apr 1997 11:32:06 -0700 (PDT)) - Re: SSL weakness affecting links from pa - John Deters <jad@dsddhc.com>
- 1997-04-20 (Sun, 20 Apr 1997 13:35:33 -0700 (PDT)) - Re: SSL weakness affecting links from pa - Adam Shostack <adam@homeport.org>
- 1997-04-19 (Sat, 19 Apr 1997 13:39:24 -0700 (PDT)) - Re: SSL weakness affecting links from pa - Steve <steve@edmweb.com>
- 1997-04-20 (Sun, 20 Apr 1997 12:34:43 -0700 (PDT)) - Re: SSL weakness affecting links from pa - Rachel Willmer <rachel@intertrader.com>
- 1997-04-20 (Sun, 20 Apr 1997 13:26:22 -0700 (PDT)) - Re: SSL weakness affecting links from pa - Adam Shostack <adam@homeport.org>
- 1997-04-19 (Sat, 19 Apr 1997 07:38:49 -0700 (PDT)) - Re: SSL weakness affecting links from pa - Adam Shostack <adam@homeport.org>