[wellylug] Possibly wierd https -> http effect
Darryl Hamilton
wellylug at addict.net.nz
Wed Oct 20 13:34:08 NZDT 2004
jumbophut wrote:
> On Wed, 20 Oct 2004 11:45:55 +1300, Darryl Hamilton wrote:
>
>
>>Just come across something very wierd (at least in my opinion) with
>>regards to posting a form from https to an http address.
>>
>>The wierd part is the referer is not included, but only with this
>>particular direction - http -> http, https -> https and http -> https
>>are all fine.
>>
>
> It's browser dependent, and RFC 2818 doesn't appear to have anything
> to say on the issue.
>
> Personally, I would regard it as a gaping security hole if a browser
> passed along an https url to any http page or to an https page on a
> different site. This is because (feel free to correct me if I'm
> wrong) the intent of the encryption is to encrypt _everything_ except
> the IP.
>
> More here:
> <http://lists.evolt.org/archive/Week-of-Mon-20020121/066423.html>
Agreed. Security research was what brought up the problem in the first
place (adding referer checks to a form to email script).
I've done a little more searching and, surprisingly enough, the rfc2616
(HTTP 1.1) has this to say...
"Clients SHOULD NOT include a Referer header field in a (non-secure)
HTTP request if the referring page was transferred with a secure protocol."
So, I guess it's not a wierd browser thing, but part of the actual spec.
Darryl.
More information about the wellylug
mailing list