From: <[EMAIL PROTECTED]>
> any Proxy operator can do this with any non-SSL connection. One can spy session
> ids in the URL, in the GET-parameters and the POST-parameters, also cookies and
> basic auth passwords, also passwords in html forms - and every bit of data
> that's send back.
>
> Oh, and firewall operators and router operators and all people on the same
> physical network can do the same...
You're right, you can never be secure without encryption. But will browsers
reliably strip the HTTP_REFERER if you leave a secure page? If they don't,
you would still have to pass all external links through one of your own
scripts. I see this becoming a problem in a larger, heterogenous
environment, because someone is certainly going to forget this protective
curtain and just write a plain HTML link. And any attacker would of course
try to provoke this.
cheers,
stefan
