>A few days ago, I had to send a fax to a crypto company in America. I
>hit their web page, cut and pasted the mail and fax addresses into
>the letter, and shipped it. Eventually I got email asking where the
>fax was. It turned out that the contact data I had fetched from what
>appeared to be their site had been completely wrong. They are now
>looking at whether it was an attack on them.
>
>Fortunately the letter's contents were not at all sensitive.
>
I wonder whether they will be willing to let you know what happened
if/when they find out. Bit embarrassing for a crypto company !!
Would SSL's authentication of the server by your browser have helped
(had they been using it which I assume they hadn't). If you were
providing access to a clinical system via Web technologies then I
think SSL (with other application-level security protection on top)
would be a minimum starting requirement.
I also suspect what you were pointing at was a static HTML page on
their site, not a dynamically generated page produced by a back-end
database. In the latter circumstance, a browser will not use a cached
page, but should always invoke the CGI (or equivalent) script and
force a reload from the application server (actually verions of IE
I've used to date don't seem to do this which is not very clever of MS
- Netscape does it properly). Use of dynamically generate pages would
inherently reduce the risk of this sort of attack/ masquerade.
One possibility of course is you were accessing their server via an
intermidiary proxy server which returned a cached page to you rather
than an actual page from their server. Now if someone had cleverly
tampered with the cached page in the proxy.... Again, a CGI (or
equivalent) script will normally force a reload from the actual server
despite cached pages being held in an intermediary proxy server - if
not by default there are ways of forcing it via the http header.
So...not so sure your example, though clearly a worry and requiring
protecting against, is a show-stopper for my Web/interactive paradigm.
However, do you know what happens in a proxy server where the browser
and actual Web server are using SSL? - Presumably the page, if cached
in the proxy, is encrypted anyway, so is of no use to anyone else ?
---
Rob Tweed
IM&T Consulting Ltd; Health Web Services Ltd;
M/Gateway Developments Ltd
http://www.hwsl.co.uk/mgw
Tel: (+44) 181 540 1325
Fax: (+44) 181 715 4337
---
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|