[Previous] [Next] [Index]
[Thread]
Re: HTTP "Referer" field considered harmful
On Mon, 24 Apr 1995, Prentiss Riddle wrote:
> As a webmeister, I like the idea behind the Referer field and plan to
> make more use of it to determine what sites are pointing at mine.
> Perhaps the real problem lies in assuming that URLs will remain secret
> and therefore assuming that they are an appropriate mechanism for
> passing secrets or performing session authentication.
The http spec has (and has had) this to say about it:
Note: Because the source of a link may be considered private
information or may reveal an otherwise secure information
source, it is strongly recommended that the user be able to
select whether or not the Referer field is sent. For
example, a browser client could have a toggle switch for
browsing openly/anonymously, which would respectively
enable/disable the sending of Referer and From information.
I am unaware of any browsers that implement this option (not to say that
none do, but if it exists on any that I use, it's well hidden.) This is
far from a complete solution, because it relies on the user not to
redistribute the URL rather than keeping it under the control of the
server. It is part and parcel in the protocol that the user must know the
URL, though, because the browser had to open to it in the first place.
Thus you are correct that assuming a URL will remain secret is inherently
insecure.
--
Paul Phillips EMAIL: psp@ucsd.edu PHONE: (619) 220-0850
WWW: http://www.primus.com/staff/paulp/ FAX: (619) 220-0873
Follow-Ups: