Dan Jacobson <[EMAIL PROTECTED]> writes:
> I was reading in comp.risks,
>
> } Subject: Re: MarketScore exploit (Emigh, RISKS-23.88)
> }
> } They're not the only ones. Microsoft ISA (Internet Security and
> } Acceleration) Server 2004 does the same thing: it allows clients to
> } establish a secure connection with it, and then it establishes a secure
> } connection with the remote site.
> }
> } It does not log the content of the session (though future versions of ISA
> } Server may allow this). But it does log the full URL, and HTTP headers
> } (such as user agent) that you would normally expect to be invisible over an
> } https connection.
>
> By golly that's it. That's how wwwoffle can cache https sessions. No
> more staring at that last precious browser screen after disconnection.
> I hate volatile information.
>
> OK, you guys work out the details. I'm too busy off looking for my
> next ground shattering concept discovery.
I had already worked out the details before I read this article on
comp.risks. I even got as far as testing that it would work - and it
does.
The question is whether people would want this or not?
If not used carefully then it means that your bank details are visible
to anybody who can access your WWWOFFLE cache. But with careful use
of default options to disable it and only being enabled for sites with
public data (e.g. bugzilla.mozilla.org which insists on https) then it
would be useful to have.
--
Andrew.
----------------------------------------------------------------------
Andrew M. Bishop [EMAIL PROTECTED]
http://www.gedanken.demon.co.uk/
WWWOFFLE users page:
http://www.gedanken.demon.co.uk/wwwoffle/version-2.8/user.html
