On Fri, 7 Jan 2005, Luca Marchiori wrote: > Hi Henrik. > > > So your real question is if it is possible to determine with the help of > > Squid if this employee is uploading confidential information to a third > > party web site. > > No ! My REAL (and original) question is if it is possible to grab user and > password from an url. > Sorry, but I heat when one change my question because "I'm sure you intend > this question and not the original one you made". > I am a consultant, my customer wanna know user and password for the virtual > hard drive and I have to give it him. Stop. > We already know the employee is uploading confidential information to the > internet.
While the FTP scheme does provide a mechanism for passing a user ID and password in a URL, the HTTP scheme doesn't provide such a mechanism. The issue is moot when dealing with HTTPS as the HTTP header is part of the encrypted payload. Only the IP and TCP headers are transmitted in the clear. -- BEGIN: vcard VERSION: 3.0 FN: Merton Campbell Crockett ORG: General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet: [EMAIL PROTECTED] TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=work,fax: +1(805)497-5050 TEL;TYPE=cell,voice,msg: +1(805)377-6762 END: vcard