internet.com

Go to WebDeveloper Home


hm-v6-139x61.gif

Database Journal: The Knowledge Center for Database Professionals

find a web host with:
CGI Access
DB Support
NT Servers
UNIX Servers
Telnet Access

advanced search
jobs

Get FREE Development Info via your Email!

The Webdeveloper channel
FlashKit
GIF.com
HiermenusCentral
webdeveloper Jobs
Java Boutique
JavaScript.com
JavaScript Source
ScriptSearch
StreamingMedia World
WDJ
WDVL
WebDeveloper.com
WebReference.com
XMLFiles.com

internet.com
Internet News
Internet Investing
Internet Technology
Windows Internet Tech.
Linux/Open Source
Web Developer
ECommerce/Marketing
ISP Resources
ASP Resources
Wireless Internet
Downloads
Internet Resources
Internet Lists
International
EarthWeb
Career Resources

Search internet.com
Advertise
Corporate Info
Newsletters
E-mail Offers

internet.commerce
Be a Commerce Partner

S S L   B U G ?
WebDeveloper.com

Major SSL Security Hole?

By David Fiedler

What the Heck?

"Everyone knows" that SSL (Secure Sockets Layer) guarantees total security for electronic commerce on the Web. It provides foolproof encryption, a detailed "audit trail" between a user's browser and any applications running on either the browser or the server, and default notification to the user if there's any insecure "holes" in a page.

But Brian Clark, President of GMD Studios in Orlando, FL, seems to have found evidence to the contrary. During the process of developing software for a client, he came up with a page which is served via SSL and includes a JavaScript program which calls a remote, unsecure CGI URL, passing environment variables. This JavaScript call is loading the .src attribute of an image object: 


<SCRIPT LANGUAGE="JavaScript">
<!--

   var imgObj = new Image;
   var ltUrl = "http://www.rankthis.com/cgi-bin/trakker/js_trakker.cgi";
   imgObj.src = ltUrl + "?ref=" + document.referrer;

//-->
</SCRIPT>

When he tested the page using Netscape Communicator 4 on Windows 95 and MacOS and Linux, neither provided any warning that an insecure CGI was called from the secure page, though Microsoft Internet Explorer 4.0 for Win95 properly displayed a "secure/insecure mix" warning dialog.

However, see the pages at the following URLs to see examples of how even Internet Explorer fails to always notice the potential security problem with Java applets:

According to Clark, a similar technique (passing information to a CGI program via GET-style encoding in the URL) could be used to lift data (including credit card numbers) from a secure form and deliver it to an outside, insecure server, along with environment variables. He says: "Amazing how fragile the whole SSL thing is, eh? Outside of the <applet> tag, it generates a warning...inside the <applet> tag, it doesn't...despite the fact in both cases there is communication with an insecure server."

We've tested this with Netscape 4.06 and IE 4.0 SP1 on Windows NT 4.0. We'd like to hear from Netscape and Microsoft as to whether they think this is of genuine concern or not. Personally, I may go back to sending checks via carrier pigeon.
-- David Fiedler

Fast Jump to Anywhere on WebDeveloper.com®:

Contact the WebDeveloper.com® staff

Last modified: 20

 

Refresh Daily
Join Editor-in-Chief David Fiedler The Editor With No Time and find truth, justice, and a clue or two.


Browse by Category
[ Site Map ]

ActiveX / VBscript
Animated GIF Archive
Browsers
CGI / Perl
Database Connectivity
Design / Graphics
E-Commerce
HTML-Advanced: DHTML, CSS
HTML / Site Authoring Tools
Intranet/Groupware
Java
JavaScript
Multimedia: Audio / Video / Streaming Technologies
Opinions
Refresh Daily: Editorial Column
Security
Servers & Server Tools
Site Design / Graphics
Site Management / Marketing / Log File Analysis
Tutorials
VRML / 3D
XML


internet.commediabistro.comJusttechjobs.comGraphics.com

Search:

WebMediaBrands Corporate Info

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs

Solutions

Whitepapers and eBooks

Microsoft Articles: Visual Studio 2010
Adobe Article: Adobe Helps PHP Developers Create Rich Internet Applications
Microsoft Whitepaper: How Windows Server 2008 R2 Helps Optimize IT and Save You Money
Adobe Article: Java Developers Finding a Home at Adobe Flex
IBM Articles: A Smarter Business Needs Smarter Technology
Intel Xeon Processor Increases Server Efficiency and Capabilities
Intel Tech Brief: Automated Energy Efficiency for the Intelligent Enterprise
Oracle Whitepapers - Innovation for IT Leaders
Avaya Article: Communication-Enabled Mashups--Empowering Both Business Owners and IT
 Internet.com eBook: IT Manager's Guide to Social Networking
Internet.com eBook: Get Ready for Windows 7
Microsoft Article: Expression Web 3--New Features for PHP Developers
Whitepapers: Manage Your Business Infrastracture with IBM
Whitepaper: Maximize Your Storage Investment with HP
Internet.com eBook: Becoming a Better Project Manager
Microsoft Article: Stress Free and Efficient Designer/Developer Collaboration
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Webcast: Connecting PHP to Microsoft Technologies
Video: Microsoft Partner Program Benefits
Video: Windows Azure Debugging Tips
SAP BusinessObjects Webcast: Unlock the Power of Reporting with Crystal Reports
 IBM Webcast: Speed Business Innovation with Reduced Cost and Risk
Video: Deploy Applications on Windows Azure
MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Download: Microsoft Visual Studio 2010 Beta 2
Downloads & Free Trials: Microsoft's New Efficiency Resource Center
Get the Windows 7 SDK
 Free Trial: Red Gate SQL Backup Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Internet.com Hot List: Get the Inside Scoop on the Hottest IT and Developer Products
All About Botnets
 MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES