Security: Referrer

---

If you are a ...
you will find that one of the most valuable ... can use is the ...
On the other hand, if you are a surfer, you maywant to disable this feature as it can be a securi If you are a webmaster, you will find that one of the most valuable thingsyou can use is the referrer. On the other hand, if you are a surfer, you maywant to disable this feature as it can be a security risk and a violation ofyour privacy.What is this referrer thingie? Well, all web servers have the capability tocreate log files and virtually all web masters (at least those who know whatthey are doing) use these logs to determine how their web site is doing.
Thelog files contain one line for each hit to the web site. The format andcontents of the line vary from server to server (and webmasters can specifythey want more or less information), but in general it has an incredibleamount of information about that one hit.Some of the information gathered for each hit to a web site includes (amongother things):- The requested file (for example, index.html)- A status code indicating success or error (404 errors, for example)- The browser type being used by the surfer (this is the agent name, and itcan also be the name of a search engine spider or a spam harvester).- The screen resolution of the surfer's monitor- The date and time (locally to the server) of the hit- The TCP/IP address of the surfer (yes, every web page that you have everlooked at has your TCP/IP recorded in a web server log file somewhere).- The URL where the surfer came fromIt's this last statistic that causes some concern.
Oh, there is a minorissue in that your TCP/IP address is stored in the server logs when youaccess a page, but this is not very important. You see, these logs do nottend to last very long as they get very large extremely quickly.
Many (ifnot most) web sites purge these as soon as statistics are gathered.Conceivably, of course, this could be of concern if an investigation wereperformed ... and these logs are looked at by webmasters for hackingattempts.No, the important information is the referrer field.
Why? Well, first thereis the privacy question. If a webmaster knew your TCP/IP address (and hewould have to know your address specifically, since this is the only thingrelating you to the line in the log file - there is no name or email addressstored there) he could get an idea of what you looked at before you came tohis site.
Thus, there is a remote chance that your privacy could becompromised ... a very remote chance since this is virtually never done byany webmaster.The second, and very critical problem is a real security risk.
You see, manywebsites allow you to log into their sites to personalize your experience.These sites allow you to enter personal data such as credit cardinformation, social security numbers and other items into their database.Generally cookies are used to identify you as you move from page to pagethrough the web site. Cookies are by far the best and preferred way to dothis - it's called maintaining context.
However, cookies are frowned upon mymany surfers for various reasons (mostly blown out of proportion fearscreated by a press that feels it needs dangers and bad news to staycompetitive).Thus, some clever webmasters have come up with alternate ways to allow theirweb sites to know that "you are you" as you move around on their site. Avery sloppy method consists of adding a username and password on to the endof each URL.For example, suppose you log into a shopping site with a username andpassword like so: URL: http://www.anyshoppingsite.com Username: innocent Password: naiveIf you moved to a page called "toys.htm", the URL might become: http://www.anyshoppingsite.com?u=innocent?p=naiveYou see the problem? Not yet? Okay, there is no problem as you move aroundfrom page to page within the shopping site.
The problem results when yousurf to another page outside of the shopping site.What happens? Well, if you surfed to another site from the page above, thatURL complete with the username and password would be added to the server logfiles. Guess what, your username and password just got recorded in plaintext somewhere completely unexpected.So what's the problem really? Well, let's say you went to your shoppingsite, logged in and made some purchases.
To make it simple for you, yourcredit card numbers are stored on the site and you can retrieve them at anytime after you are logged in. Everything seems safe because you need ausername and password to get in.Now, when you are finished shopping you are supposed to log out.
This wouldremove the username and password from the referrer. However, you don't dothis and instead surf to another site.
You leave your username and passwordin that webmasters log files. If that webmaster happens to check his logfiles he could get your username and password, log into your account and getyour credit card numbers.Are you alarmed yet?Okay, how do you stop this from happening? It's relatively easy, actually.You get a product called AdSubtract and install it on your computer.
Bydefault this product will remove the referrer field as you surf around. Youare now protected.Oh yes, one side effect is you cannot just surf to that shopping site, sincethe login information is removed by AdSubtract.
Fortunately, AdSubtractallows you to configure exceptions. All you need to do is enter the"filters" section, add your shopping site and specify to not remove thereferrer.And that, my friends, is how you protect yourself from one of the internet'sbiggest gaping security holes.
I hope this has been of use to you. Article Tags: These Logs, Tcp/ip Address, Shopping Site Source: Free Articles from ArticlesFactory.com .