Referrer usage

Discussion in 'HTML' started by Spartanicus, Oct 22, 2003.

  1. Spartanicus

    Spartanicus Guest

    My ISP requires the browser's referrer value for a certain page, I don't
    allow my browser to send the referrer causing the page to break. A
    request to get rid of this resulted in a claim that it is required:

    >The referrer logging has to be used to stop script kiddies running a
    >script against the account log in page and using a brute force or
    >dictionary attack to try to access our users accounts.


    Any truth in that?

    --
    Spartanicus
    Spartanicus, Oct 22, 2003
    #1
    1. Advertising

  2. Spartanicus wrote:

    > Any truth in that?


    It may stop the dumbest of script kiddies, but that's about it. Real
    security would be better.
    Leif K-Brooks, Oct 22, 2003
    #2
    1. Advertising

  3. Spartanicus wrote:

    > My ISP requires the browser's referrer value for a certain page, I don't
    > allow my browser to send the referrer


    Why not?

    >>The referrer logging has to be used to stop script kiddies running a
    >>script against the account log in page and using a brute force or
    >>dictionary attack to try to access our users accounts.

    >
    > Any truth in that?


    Faking a referrer is not difficult... then again script kiddies aren't
    smart.

    --
    David Dorward http://dorward.me.uk/
    David Dorward, Oct 22, 2003
    #3
  4. Spartanicus

    Spartanicus Guest

    David Dorward wrote:

    >> My ISP requires the browser's referrer value for a certain page, I don't
    >> allow my browser to send the referrer

    >
    >Why not?


    Privacy.

    --
    Spartanicus
    Spartanicus, Oct 22, 2003
    #4
  5. Spartanicus wrote:
    > David Dorward wrote:


    >>> My ISP requires the browser's referrer value for a certain page, I don't
    >>> allow my browser to send the referrer


    >>Why not?


    > Privacy.


    Why do you consider the address of the page that led you to 'this' page to
    be something you want private though? (Serious question)

    --
    David Dorward http://dorward.me.uk/
    David Dorward, Oct 22, 2003
    #5
  6. Spartanicus wrote:

    > My ISP requires the browser's referrer value for a certain page, I don't
    > allow my browser to send the referrer causing the page to break.


    Get Opera <http://www.opera.com/>. It has an easy toggle for switching
    on/off the HTTP referer header: F12.

    > A request to get rid of this resulted in a claim that it is required:
    >
    >>The referrer logging has to be used to stop script kiddies running a
    >>script against the account log in page and using a brute force or
    >>dictionary attack to try to access our users accounts.

    >
    > Any truth in that?


    That seems dumb to me. It is trivial to fake a referer header.

    To teach them a lesson, set up a local proxy and make sure all HTTP
    requests to their site have a referer header like:

    Referer: http://www.theirsite.com/#Referer sniffing is stupid.

    --
    Toby A Inkster BSc (Hons) ARCS
    Contact Me - http://www.goddamn.co.uk/tobyink/?id=132
    Toby A Inkster, Oct 22, 2003
    #6
  7. Spartanicus

    Spartanicus Guest

    David Dorward wrote:

    >>>> My ISP requires the browser's referrer value for a certain page, I don't
    >>>> allow my browser to send the referrer

    >
    >>>Why not?

    >
    >> Privacy.

    >
    >Why do you consider the address of the page that led you to 'this' page to
    >be something you want private though? (Serious question)


    It's not much of an issue in this specific case (same site/domain
    referrer), cross site/domain referrers are simply nobody's business and
    there is no justification for them.

    --
    Spartanicus
    Spartanicus, Oct 22, 2003
    #7
  8. David Dorward wrote:
    > Why do you consider the address of the page that led you to 'this' page to
    > be something you want private though? (Serious question)


    What if the page you had just left was from a webmail site? Then you could
    unwittingly be giving out your e-mail address.

    That said, I use (but do not rely on) Referer sniffing on my site. If the
    user has just come from a known search engine[1], then they get a page
    with their search terms highlighted. Handy.

    For example, search on Google for "toby a inkster" (with the quote marks)
    and then follow the first result[2] and you should see those words
    highlighted on the resultant page.


    [1] Currently just Google and my own search engine are "known".
    [2] Don't use "I'm Feeling Lucky". Strange bug.

    --
    Toby A Inkster BSc (Hons) ARCS
    Contact Me - http://www.goddamn.co.uk/tobyink/?id=132
    Toby A Inkster, Oct 22, 2003
    #8
  9. Spartanicus

    Dylan Parry Guest

    Sitting in an ivory tower, Spartanicus wrote:

    > It's not much of an issue in this specific case (same site/domain
    > referrer), cross site/domain referrers are simply nobody's business and
    > there is no justification for them.


    Erm, how about so the author of a site knows who is linking to their
    site? This is something that has always been of interest to me, and
    sometimes I like to offer a link back to their site as a courtesy.

    --
    Dylan Parry
    http://www.webpageworkshop.co.uk - FREE Web tutorials and references
    Dylan Parry, Oct 22, 2003
    #9
  10. Toby A Inkster wrote:

    > David Dorward wrote:
    >> Why do you consider the address of the page that led you to 'this' page
    >> to be something you want private though? (Serious question)

    >
    > What if the page you had just left was from a webmail site? Then you could
    > unwittingly be giving out your e-mail address.


    Then it wouldn't be a very well written webmail application :)

    --
    David Dorward http://dorward.me.uk/
    David Dorward, Oct 22, 2003
    #10
  11. Spartanicus

    rf Guest

    "Spartanicus" <> wrote in message
    news:...
    > My ISP requires the browser's referrer value for a certain page, I don't
    > allow my browser to send the referrer causing the page to break. A
    > request to get rid of this resulted in a claim that it is required:
    >
    > >The referrer logging has to be used to stop script kiddies running a
    > >script against the account log in page and using a brute force or
    > >dictionary attack to try to access our users accounts.

    >
    > Any truth in that?


    None whatsoever. If *I* were to use brute force to try to crack that login
    page I would simply cause my script (or whatever) to send a referrer :)

    If the ISP really knew how to implement security then the server side
    process would do other things, like only allowing one login attempt per
    minute or something. My ISP allows three attemps and then locks out the page
    for 10 minutes.

    Cheers
    Richard.
    rf, Oct 23, 2003
    #11
  12. Dylan Parry wrote:

    > Sitting in an ivory tower, Spartanicus wrote:
    >
    >> It's not much of an issue in this specific case (same site/domain
    >> referrer), cross site/domain referrers are simply nobody's business and
    >> there is no justification for them.

    >
    > Erm, how about so the author of a site knows who is linking to their
    > site? This is something that has always been of interest to me, and
    > sometimes I like to offer a link back to their site as a courtesy.


    I use them like that too, but that is still no justification for
    *requiring* visitors to have Referers.

    --
    Toby A Inkster BSc (Hons) ARCS
    Contact Me - http://www.goddamn.co.uk/tobyink/?id=132
    Toby A Inkster, Oct 23, 2003
    #12
  13. Spartanicus

    Spartanicus Guest

    Toby A Inkster wrote:

    >> My ISP requires the browser's referrer value for a certain page, I don't
    >> allow my browser to send the referrer causing the page to break.

    >
    >Get Opera <http://www.opera.com/>. It has an easy toggle for switching
    >on/off the HTTP referer header: F12.


    I rarely use anything else than Opera :)

    >> A request to get rid of this resulted in a claim that it is required:
    >>
    >>>The referrer logging has to be used to stop script kiddies running a
    >>>script against the account log in page and using a brute force or
    >>>dictionary attack to try to access our users accounts.

    >>
    >> Any truth in that?

    >
    >That seems dumb to me. It is trivial to fake a referer header.
    >
    >To teach them a lesson, set up a local proxy and make sure all HTTP
    >requests to their site have a referer header like:
    >
    >Referer: http://www.theirsite.com/#Referer sniffing is stupid.


    In this case the page that requires the referrer is not the actual login
    page, the menu selections on the page that follows the login page
    require the referrer (although I'm not sure if that makes any
    difference). Furthermore the server uses SSL at that stage IIRC, so
    faking the referrer would require something like Proxomitron with the
    OpenSSL package installed afaics.

    --
    Spartanicus
    Spartanicus, Oct 23, 2003
    #13
  14. Spartanicus

    Spartanicus Guest

    Dylan Parry wrote:

    >> It's not much of an issue in this specific case (same site/domain
    >> referrer), cross site/domain referrers are simply nobody's business and
    >> there is no justification for them.

    >
    >Erm, how about so the author of a site knows who is linking to their
    >site? This is something that has always been of interest to me, and
    >sometimes I like to offer a link back to their site as a courtesy.


    I have no problem with anyone wanting to know, I just reserve the right
    to withhold that information.

    --
    Spartanicus
    Spartanicus, Oct 23, 2003
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Harley

    Get referrer URL

    Harley, Jul 24, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    1,017
    Harley
    Jul 24, 2003
  2. Harley

    Re: Get referrer URL

    Harley, Jul 26, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    3,239
    Harley
    Jul 26, 2003
  3. Aaron

    html referrer spoofing

    Aaron, Jan 25, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    5,849
    Chris Jackson
    Jan 26, 2004
  4. NWx
    Replies:
    3
    Views:
    23,503
  5. Kevin Spencer

    Re: Url.Referrer is NULL

    Kevin Spencer, Jun 3, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    11,611
    =?Utf-8?B?bmF0WA==?=
    Jun 3, 2004
Loading...

Share This Page