Referrer usage

[Spartanicus]

My ISP requires the browser's referrer value for a certain page, I don't
allow my browser to send the referrer causing the page to break. A
request to get rid of this resulted in a claim that it is required:

The referrer logging has to be used to stop script kiddies running a
script against the account log in page and using a brute force or
dictionary attack to try to access our users accounts.

Any truth in that?

 

[Leif K-Brooks]

Any truth in that?

It may stop the dumbest of script kiddies, but that's about it. Real
security would be better.

 

[David Dorward]

My ISP requires the browser's referrer value for a certain page, I don't
allow my browser to send the referrer

Why not?

Any truth in that?

Faking a referrer is not difficult... then again script kiddies aren't
smart.

 

[Spartanicus]

Why not?

Privacy.

 

[David Dorward]

David Dorward wrote:

Privacy.

Why do you consider the address of the page that led you to 'this' page to
be something you want private though? (Serious question)

 

[Toby A Inkster]

My ISP requires the browser's referrer value for a certain page, I don't
allow my browser to send the referrer causing the page to break.

A request to get rid of this resulted in a claim that it is required:


Any truth in that?

That seems dumb to me. It is trivial to fake a referer header.

To teach them a lesson, set up a local proxy and make sure all HTTP
requests to their site have a referer header like:

Referer: http://www.theirsite.com/#Referer sniffing is stupid.

 

[Spartanicus]

Why do you consider the address of the page that led you to 'this' page to
be something you want private though? (Serious question)

It's not much of an issue in this specific case (same site/domain
referrer), cross site/domain referrers are simply nobody's business and
there is no justification for them.

 

[Toby A Inkster]

Why do you consider the address of the page that led you to 'this' page to
be something you want private though? (Serious question)

What if the page you had just left was from a webmail site? Then you could
unwittingly be giving out your e-mail address.

That said, I use (but do not rely on) Referer sniffing on my site. If the
user has just come from a known search engine[1], then they get a page
with their search terms highlighted. Handy.

For example, search on Google for "toby a inkster" (with the quote marks)
and then follow the first result[2] and you should see those words
highlighted on the resultant page.


[1] Currently just Google and my own search engine are "known".
[2] Don't use "I'm Feeling Lucky". Strange bug.

 

[Dylan Parry]

It's not much of an issue in this specific case (same site/domain
referrer), cross site/domain referrers are simply nobody's business and
there is no justification for them.

Erm, how about so the author of a site knows who is linking to their
site? This is something that has always been of interest to me, and
sometimes I like to offer a link back to their site as a courtesy.

 

[David Dorward]

What if the page you had just left was from a webmail site? Then you could
unwittingly be giving out your e-mail address.

Then it wouldn't be a very well written webmail application

 

[rf]

My ISP requires the browser's referrer value for a certain page, I don't
allow my browser to send the referrer causing the page to break. A
request to get rid of this resulted in a claim that it is required:


Any truth in that?

None whatsoever. If *I* were to use brute force to try to crack that login
page I would simply cause my script (or whatever) to send a referrer

If the ISP really knew how to implement security then the server side
process would do other things, like only allowing one login attempt per
minute or something. My ISP allows three attemps and then locks out the page
for 10 minutes.

Cheers
Richard.

 

[Toby A Inkster]

Erm, how about so the author of a site knows who is linking to their
site? This is something that has always been of interest to me, and
sometimes I like to offer a link back to their site as a courtesy.

I use them like that too, but that is still no justification for
*requiring* visitors to have Referers.

 

[Spartanicus]

Get Opera <http://www.opera.com/>. It has an easy toggle for switching
on/off the HTTP referer header: F12.

I rarely use anything else than Opera

That seems dumb to me. It is trivial to fake a referer header.

To teach them a lesson, set up a local proxy and make sure all HTTP
requests to their site have a referer header like:

Referer: http://www.theirsite.com/#Referer sniffing is stupid.

In this case the page that requires the referrer is not the actual login
page, the menu selections on the page that follows the login page
require the referrer (although I'm not sure if that makes any
difference). Furthermore the server uses SSL at that stage IIRC, so
faking the referrer would require something like Proxomitron with the
OpenSSL package installed afaics.

 

[Spartanicus]

Erm, how about so the author of a site knows who is linking to their
site? This is something that has always been of interest to me, and
sometimes I like to offer a link back to their site as a courtesy.

I have no problem with anyone wanting to know, I just reserve the right
to withhold that information.