[rt-devel] Following links offsite
bruce_campbell at ripe.net
Fri Feb 1 05:01:00 EST 2002
On 31 Jan 2002, seph wrote:
> Bruce Campbell <bruce_campbell at ripe.net> writes:
> > Actually, thinking more about this, I'm thinking that its a security risk
> > to link directly from an RT system offsite. Eg, if I follow a link from a
> security via obscurity is not very secure. relying on it is poor.
Correct, if it was a case of security of the RT system itself. My point
is that releasing the RT ticket numbers to ad-hoc websites via the
HTTP_REFERER field is a Bad Thing (tm).
As a real-life example, say that your neighbour mentions to his insurance
agent that you've been meaning to get insurance for ages. Which call
would you like from the insurance agent?:
'Hi there, your neighbour, insurance account 230984798, mentioned
that you might be in need of our services.'
(ala current RT with ticket # in HTTP_REFERER)
'Hi there, your neighbour mentioned that you might be in need of
(ala an RT-site Redirection, no ticket # in HTTP_REFERER)
'Hi there, do you need insurance?'
(ala, a new window for the URL, no HTTP_REFERER)
Bruce Campbell RIPE
Systems/Network Engineer NCC
www.ripe.net - PGP562C8B1B Operations
More information about the Rt-devel