-----BEGIN PGP SIGNED MESSAGE----- On Fri, 28 Mar 1997, Bill Stewart wrote:
http://www.zdnet.com:80/intweek/daily/970327x.html has an article about an SSL problem that affects both Netscape and MicrosoftIE browsers, leaking "secure" data such as credit card numbers from web pages with GET-based SSL forms on it. It was discovered by Dan Klein.
There isn't specific detail about how the flaw works, but it says that it affects GET forms but not POST. Commentary from NS, MS, Gene Spafford, and Steve Bellovin.
"It's like you've gone to the restaurant with your lover," Klein said. "The restaurant is there, it's private, yet when you leave the restaurant you have the menu in your hand and there's food all over your shirt."
I would guess that this means that Netscape and Explorer send the complete URL of the page that linked to another site in the "HTTP-REFERER" header in the clear when SSL is used. The only temporary solution is to use a local web proxy that removes this header, or, as the article suggests, manually type in an URL that is linked from a page using SSL. I can't think of too many situations where one might follow a link to another site immediately after sending sensitive information, but the contents of the "HTTP-REFERER" header are often logged, and the log is often world-readable...
# Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list, please Cc: me on replies. Thanks.)
Mark -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQEVAwUBMzytJyzIPc7jvyFpAQE3gAf/frvfAWg44mEeg2AyhxlFKBmmh3yWEtmq l8np9nTMz20/PHcF2uzDHrpSEcAY2WPcvEvu+57QGelU0H2LoH2qGFNeVisPQURE 9F5gUZvFeyubL9UVLlUoxVIMCumLM+y31zqVaMb8GwwGnHWNcHc1rqnUhchYamiJ BbU04U3xaF5b5/mMBzKTU/tfTajeIDsAl0dhk0rzvXAMN2n26idoWic39ZzhHnsE QOOfi4oI8XK4cMbjOKbwnSR7Xbt78800vilyp+mvkfgp/bR6ygougYzYz1s9dNY3 HgGpnuxDzFoHnqlIQ7in3N+QXXzSNh8TiVfU6w3PjoRk3RNZHX+DTQ== =QOto -----END PGP SIGNATURE-----