[rt-devel] Following links offsite

Bruce Campbell bruce_campbell at ripe.net
Fri Feb 1 05:01:00 EST 2002

On 31 Jan 2002, seph wrote:

> Bruce Campbell <bruce_campbell at ripe.net> writes:
> > Actually, thinking more about this, I'm thinking that its a security risk
> > to link directly from an RT system offsite.  Eg, if I follow a link from a

> security via obscurity is not very secure. relying on it is poor.

Correct, if it was a case of security of the RT system itself.  My point
is that releasing the RT ticket numbers to ad-hoc websites via the
HTTP_REFERER field is a Bad Thing (tm).

As a real-life example, say that your neighbour mentions to his insurance
agent that you've been meaning to get insurance for ages.  Which call
would you like from the insurance agent?:

	'Hi there, your neighbour, insurance account 230984798, mentioned
	 that you might be in need of our services.'

		(ala current RT with ticket # in HTTP_REFERER)


	'Hi there, your neighbour mentioned that you might be in need of
	 our services.'

		(ala an RT-site Redirection, no ticket # in HTTP_REFERER)


	'Hi there, do you need insurance?'

		(ala, a new window for the URL, no HTTP_REFERER)


                             Bruce Campbell                            RIPE
                   Systems/Network Engineer                             NCC
                 www.ripe.net - PGP562C8B1B                      Operations

More information about the Rt-devel mailing list