On Fri, 7 Jan 2005, Luca Marchiori wrote:
> Hi Henrik.
>
> > So your real question is if it is possible to determine with the help of
> > Squid if this employee is uploading confidential information to a third
> > party web site.
>
> No ! My REAL (and original) question is if it is possible to grab user and
> password from an url.
> Sorry, but I heat when one change my question because "I'm sure you intend
> this question and not the original one you made".
> I am a consultant, my customer wanna know user and password for the virtual
> hard drive and I have to give it him. Stop.
> We already know the employee is uploading confidential information to the
> internet.
While the FTP scheme does provide a mechanism for passing a user ID and
password in a URL, the HTTP scheme doesn't provide such a mechanism.
The issue is moot when dealing with HTTPS as the HTTP header is part of
the encrypted payload. Only the IP and TCP headers are transmitted in the
clear.
-- BEGIN: vcard VERSION: 3.0 FN: Merton Campbell Crockett ORG: General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet: mcc@CATO.GD-AIS.COM TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=work,fax: +1(805)497-5050 TEL;TYPE=cell,voice,msg: +1(805)377-6762 END: vcardReceived on Fri Jan 07 2005 - 09:11:15 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST