Another shining example of Microsoft "security".

vertigo vertigo at panix.com
Fri Apr 20 17:00:33 EDT 2001 

On Fri, 20 Apr 2001, Enzo Michelangeli wrote:

> Why? Proxies for HTTPS do not touch the encrypted data

Ours did.  I don't know if Lycos still uses the software,
but it was not an HTTP proxy.  Lycos, for example, had
a link to The Gap on their shopping page.  The HREF was
something like 'proxy.lycos.com/createreferral?host=
www.gap.com&toolbar=1'.  We took over from there.  The
request was made (either insecurely, or through an SSL
client), retrieved, stored in an Oracle database,
parsed to change all the URLs in tha page to point BACK
to our software, and sent to the user. If they were
accessing a secure site, then we were happy to provide our
own certificate. This was repeated as many times as necessary.
We were the proverbial man-in-the-middle.

Later on we parsed the logged pages looking for purchase
information.  Once this information was found, we gave Lycos
The Gap's daily weekly, and monthly sales figures. Lycos then
sent The Gap a bill for a percentage of these.

It was terribly insecure on our end, everything (including
credit card information) being stored in the clear for
offline parsing.  Management didn't want to spend the
time, money, and effort required to make that unruly beast
secure. Both our lawyers, and Lycos' assured us this type
of snooping was covered by Lycos' user-agreement.  The only
legal call we received was from Google, when the the first
link presented to users searching for The Gap was the link
on Lycos's site that pointed to our software.  :)

It's a rather long story, and the software is considerably
more complex than this.  Rest assured, Phlair, Inc. had a
25% staff cut a month or so ago.  I doubt they will be doing
this for much longer.

If you want more information, I would be happy to provide it off
the list.  I could write volumes about it, and the crypto is
the least interesting part about it.  The SSL client was written
in 15 minutes.

vert





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list