[aklug] Re: State of Alaska Security / SSL

Joshua J. Kugler wrote, on 5/20/2010 8:35 AM:
> On Thursday 20 May 2010, Royce Williams elucidated thus:
>> Scott A. Johnson wrote, on 5/20/2010 8:23 AM:
>>
>> [snip]
>>
>>> My question is: is the URL
>>> string of an HTTPS session encrypted along with the actual data of
>>> the page? Or is the URL sent plain text before SSL is established,
>>> and therefore someone could get my username and password just by
>>> the URL regardless of HTTPS/SSL? What about server logs or client
>>> side history - wouldn't the goodies be cached and/or retained in
>>> these areas?

>> The encryption is set up before the URL is transmitted. The 'https'
>> URI scheme name just tells the browser "Hey, set up SSL to
>> example.net before doing the HTTP." So you're OK "in flight", as it
>> were.
>>
>> The server logs and client history would probably contain the
>> results.
>
> The other danger is if a secure web site using this method links to an
> off-site page. The referrer will contain your user and pass. This is
> really worrying as this is a security "hole" that I remember hearing
> talked about *YEARS* ago. It's really sad to see the AK IT department
> using something like this.

On the off chance that they're just not aware of the issue ... surely
someone on the AKLUG list is with ETS at the State, or has contacts with
ETS? If so, please forward this thread as a potential action item.

Even if we're mistaken ... as a professional courtesy, I would want to
know that this discussion is taking place, and correct any misunderstanding.

To get the ball rolling, I've added myalaska.help@alaska.gov to the thread.

Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu May 20 08:43:37 2010