SSL weakness affecting links from pages with GET forms
Bill Stewart
stewarts at ix.netcom.com
Fri Mar 28 19:57:43 PST 1997
http://www.zdnet.com:80/intweek/daily/970327x.html
has an article about an SSL problem that affects both Netscape
and MicrosoftIE browsers, leaking "secure" data such as
credit card numbers from web pages with GET-based SSL forms on it.
It was discovered by Dan Klein.
There isn't specific detail about how the flaw works,
but it says that it affects GET forms but not POST.
Commentary from NS, MS, Gene Spafford, and Steve Bellovin.
"It's like you've gone to the restaurant with your lover," Klein said.
"The restaurant is there, it's private, yet when you leave the restaurant
you have the menu in your hand and there's food all over your shirt."
# Thanks; Bill
# Bill Stewart, +1-415-442-2215 stewarts at ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
# (If this is a mailing list, please Cc: me on replies. Thanks.)
More information about the cypherpunks-legacy
mailing list