«

My ISP requires the browser's referrer value for a certain page, I don't
allow my browser to send the referrer causing the page to break. A
request to get rid of this resulted in a claim that it is required:

>The referrer logging has to be used to stop script kiddies running a
>script against the account log in page and using a brute force or
>dictionary attack to try to access our users accounts.

Any truth in that?

--
Spartanicus

Spartanicus wrote:

> Any truth in that?

It may stop the dumbest of script kiddies, but that's about it. Real
security would be better.

Spartanicus wrote:

> My ISP requires the browser's referrer value for a certain page, I don't
> allow my browser to send the referrer

Why not?

>>The referrer logging has to be used to stop script kiddies running a
>>script against the account log in page and using a brute force or
>>dictionary attack to try to access our users accounts.
>
> Any truth in that?

Faking a referrer is not difficult... then again script kiddies aren't
smart.

--
David Dorward http://dorward.me.uk/

David Dorward wrote:

>> My ISP requires the browser's referrer value for a certain page, I don't
>> allow my browser to send the referrer
>
>Why not?

Privacy.

--
Spartanicus

Spartanicus wrote:
> David Dorward wrote:

>>> My ISP requires the browser's referrer value for a certain page, I don't
>>> allow my browser to send the referrer

>>Why not?

> Privacy.

Why do you consider the address of the page that led you to 'this' page to
be something you want private though? (Serious question)

--
David Dorward http://dorward.me.uk/

Spartanicus wrote:

> My ISP requires the browser's referrer value for a certain page, I don't
> allow my browser to send the referrer causing the page to break.

Get Opera <http://www.opera.com/>. It has an easy toggle for switching
on/off the HTTP referer header: F12.

> A request to get rid of this resulted in a claim that it is required:
>
>>The referrer logging has to be used to stop script kiddies running a
>>script against the account log in page and using a brute force or
>>dictionary attack to try to access our users accounts.
>
> Any truth in that?

That seems dumb to me. It is trivial to fake a referer header.

To teach them a lesson, set up a local proxy and make sure all HTTP
requests to their site have a referer header like:

Referer: http://www.theirsite.com/#Referer%20...%20is%20stupid.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me - http://www.goddamn.co.uk/tobyink/?id=132

David Dorward wrote:

>>>> My ISP requires the browser's referrer value for a certain page, I don't
>>>> allow my browser to send the referrer
>
>>>Why not?
>
>> Privacy.
>
>Why do you consider the address of the page that led you to 'this' page to
>be something you want private though? (Serious question)

It's not much of an issue in this specific case (same site/domain
referrer), cross site/domain referrers are simply nobody's business and
there is no justification for them.

--
Spartanicus

David Dorward wrote:
> Why do you consider the address of the page that led you to 'this' page to
> be something you want private though? (Serious question)

What if the page you had just left was from a webmail site? Then you could
unwittingly be giving out your e-mail address.

That said, I use (but do not rely on) Referer sniffing on my site. If the
user has just come from a known search engine[1], then they get a page
with their search terms highlighted. Handy.

For example, search on Google for "toby a inkster" (with the quote marks)
and then follow the first result[2] and you should see those words
highlighted on the resultant page.


[1] Currently just Google and my own search engine are "known".
[2] Don't use "I'm Feeling Lucky". Strange bug.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me - http://www.goddamn.co.uk/tobyink/?id=132

Sitting in an ivory tower, Spartanicus wrote:

> It's not much of an issue in this specific case (same site/domain
> referrer), cross site/domain referrers are simply nobody's business and
> there is no justification for them.

Erm, how about so the author of a site knows who is linking to their
site? This is something that has always been of interest to me, and
sometimes I like to offer a link back to their site as a courtesy.

--
Dylan Parry
http://www.webpageworkshop.co.uk - FREE Web tutorials and references

Toby A Inkster wrote:

> David Dorward wrote:
>> Why do you consider the address of the page that led you to 'this' page
>> to be something you want private though? (Serious question)
>
> What if the page you had just left was from a webmail site? Then you could
> unwittingly be giving out your e-mail address.

Then it wouldn't be a very well written webmail application

--
David Dorward http://dorward.me.uk/