Re: [squid-users] grab password from url

From: Merton Campbell Crockett <[email protected]>
Date: Fri, 7 Jan 2005 08:02:12 -0800 (PST)

On Fri, 7 Jan 2005, Luca Marchiori wrote:

> Hi Henrik.
>
> > So your real question is if it is possible to determine with the help of
> > Squid if this employee is uploading confidential information to a third
> > party web site.
>
> No ! My REAL (and original) question is if it is possible to grab user and
> password from an url.
> Sorry, but I heat when one change my question because "I'm sure you intend
> this question and not the original one you made".
> I am a consultant, my customer wanna know user and password for the virtual
> hard drive and I have to give it him. Stop.
> We already know the employee is uploading confidential information to the
> internet.

While the FTP scheme does provide a mechanism for passing a user ID and
password in a URL, the HTTP scheme doesn't provide such a mechanism.

The issue is moot when dealing with HTTPS as the HTTP header is part of
the encrypted payload. Only the IP and TCP headers are transmitted in the
clear.

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc@CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard
Received on Fri Jan 07 2005 - 09:11:15 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST