[thelist] More on SSL querystring encryption
Scott Dexter
sgd at ti3.com
Thu Nov 30 17:41:09 CST 2000
> However, I just read in the O'Reilly 'Web Security &
> Commerce' book last
> night ... that if a user is on an SSL site --- let's say
...
> 'favorites' menu and opt out to your (non-SSL) web page
> {without pushing
> your 'logout' button} ... that the refer link logged on your
> website will
> contain their UNENCRYPTED prior link --- querystring and
> account numbers
> included!
Aside from the logged information ALWAYS being in plain text (SSL does not
include encrypting the web server's logging activity. Wow would that be a
pain)...
How does the browser know that the button pushed was "Logout?" --It doesn't.
So how does it know to tear down the SSL session? The change in protocol
from "https://" to "http://". As far as data crossing that boundary, your
example points out a case where the browser would have to be intelligent
enough to not include the referrer information when going from SSL to a
non-SSL URL. Now, what's the Real World like? Hold on, lemme go test it with
a couple different browser versions. In 1997 this may have been an issue,
but I have the Rosy Glasses on and think it is a non-issue at this point
(the browsers having those smarts now).
Stay tuned--
sgd
More information about the thelist
mailing list