SSL weakness affecting links from pa
Bryan Lyles
lyles at parc.xerox.com
Mon Apr 14 12:34:53 PDT 1997
In message <3351F2DF.7DC26A1A at netscape.com>you write:
...
>In the eyes of some, the referer header is a privacy violation. It
>allows a site to see what site you visited before coming there. In the
>case of Navigator, we ONLY send the referer header when you click on a
>link. Not when you select a bookmark. Not when you type a URL into the
>location field. This allows web sites to see who links to them. I
>think that's something that a web author is entitled to know.
>
Tom,
<ignoring personal privacy issues>
I am concerned that the referer field could be a major corporate security
leak. In particular, many companies are now using the web for internal
project documentation. The URLs often contain project code words or code
names. If a project wishes to to establish links to competitors for purposes
of benchmarking, or to suppliers, the referer field would leak those code
words and/or project organization. In most security handbooks this is a
breach of project security.
Unfortunately, you (the commercial web community) are creating entitlements
which the user community is likely to disagree with strongly. My newspaper
does not have an entitlement to know which pages I read, the advertisers in
the newspaper do not have entitlements to the knowledge of which ads I scan.
Assumption of such entitlements in the web environment will inevitably lead to
privacy violations, security leaks and legal action.
-Bryan
More information about the cypherpunks-legacy
mailing list