[thelist] More on SSL querystring encryption

Scott Dexter sgd at ti3.com
Thu Nov 30 17:41:09 CST 2000


 
> However, I just read in the O'Reilly 'Web Security & 
> Commerce' book last
> night ... that if a user is on an SSL site --- let's say 
...
> 'favorites' menu and opt out to your (non-SSL) web page 
> {without pushing
> your 'logout' button} ... that the refer link logged on your 
> website will
> contain their UNENCRYPTED prior link --- querystring and 
> account numbers
> included!

Aside from the logged information ALWAYS being in plain text (SSL does not
include encrypting the web server's logging activity. Wow would that be a
pain)...

How does the browser know that the button pushed was "Logout?" --It doesn't.
So how does it know to tear down the SSL session? The change in protocol
from "https://" to "http://". As far as data crossing that boundary, your
example points out a case where the browser would have to be intelligent
enough to not include the referrer information when going from SSL to a
non-SSL URL. Now, what's the Real World like? Hold on, lemme go test it with
a couple different browser versions. In 1997 this may have been an issue,
but I have the Rosy Glasses on and think it is a non-issue at this point
(the browsers having those smarts now).

Stay tuned--
sgd




More information about the thelist mailing list