Full Disclosure mailing list archives
anonymizer.com doesn't use ssl on target website
From: Ka <ka () khidr net>
Date: Tue, 18 Feb 2003 20:03:08 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The member service of anonymizer.com may encrypt traffic between the client-browser and anonymizer.com-proxy using SSL, but whenever you click on a SSL-link (say <a href="https://target.com">) anonymizer translates that into a non-ssl link of the same address (say http://target.com). This results in unencrypted, spoofable traffic between the anonymizer- proxy and the target website. As the contact with an ssl-encrypted target-website does certainly contain sensitive information (why should it be SSL-encrypted otherwise?), it's probably not a good idea to use the member services of anonymizer.com IMO - at least not on SSL-target-sites. Vendor-support was contacted, but first ignored the impact of that programming error "That's fine... our service keeps your connection secure." and then did not answer to the second email within five days. That might be an indication that anonymizer.com is not very security-oriented in other aspects also. (?) Greetingz Ka - -- Want hear Ancient Music In The Pines? Must find remote. Must change channel. http://www.khidr.net/users/ka/pgpkey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+UoN872vu22ltWBERAjzvAJ9oTllhK6X2m6oX0v1Z7gUsleMk6wCeJpYd JC9QQZ85HQ7q4aEmNG8moLY= =Hy3t -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- anonymizer.com doesn't use ssl on target website Ka (Feb 18)