On Fri, 7 Jan 2005, Luca Marchiori wrote:
> Hi Henrik.
>
> > So your real question is if it is possible to determine with the help of
> > Squid if this employee is uploading confidential information to a third
> > party web site.
>
> No ! My REAL (and original) question is if it is possible to grab user and
> password from an url.
> Sorry, but I heat when one change my question because "I'm sure you intend
> this question and not the original one you made".
> I am a consultant, my customer wanna know user and password for the virtual
> hard drive and I have to give it him. Stop.
> We already know the employee is uploading confidential information to the
> internet.
While the FTP scheme does provide a mechanism for passing a user ID and
password in a URL, the HTTP scheme doesn't provide such a mechanism.
The issue is moot when dealing with HTTPS as the HTTP header is part of
the encrypted payload. Only the IP and TCP headers are transmitted in the
clear.
--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced Information Systems;
Intelligence and Exploitation Systems
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: [EMAIL PROTECTED]
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=work,fax: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard
