[wellylug] Possibly wierd https -> http effect
jumbophut
jumbophut at gmail.com
Wed Oct 20 12:18:09 NZDT 2004
On Wed, 20 Oct 2004 11:45:55 +1300, Darryl Hamilton wrote:
> Just come across something very wierd (at least in my opinion) with
> regards to posting a form from https to an http address.
>
> The wierd part is the referer is not included, but only with this
> particular direction - http -> http, https -> https and http -> https
> are all fine.
>
It's browser dependent, and RFC 2818 doesn't appear to have anything
to say on the issue.
Personally, I would regard it as a gaping security hole if a browser
passed along an https url to any http page or to an https page on a
different site. This is because (feel free to correct me if I'm
wrong) the intent of the encryption is to encrypt _everything_ except
the IP.
More here:
<http://lists.evolt.org/archive/Week-of-Mon-20020121/066423.html>
--
Tony (echo 'spend!,pocket awide' | sed 'y/acdeikospntw!, /l at omcgtjuba.phi/')
More information about the wellylug
mailing list