|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Request.UrlReferrer + IE7 + "Invalid Certificate" = bad newsall that good jazz) when we discovered IE7 has an issue reporting the referring url when an Invalid SSL certificate is encountered. The solution we have come up with will pass a hashed value as a querystring to the validation application. Once there, we have hashed values of our sites in place, they are compared and the proper site is selected. I know there are other ways that are better and more efficient then this, but with the legacy applications we have to support with the new security model this was the easiest solution with out re-engineering old code that is going to be modernized to .NET in the coming months. Now, the question, has anybody found a work around when using IE7 and self signed certs to get around the urlReferrer problem? We have tested IE7, IE6, NS and FireFox 1.5 and 2.0. The only browser that will not report back the referring url is IE7. After snooping the packets sent, it looks as if IE7 actually sends out an HTTP stream to the browser instead of an informational dialog like most browsers. I haven't looking in to the nitty gritty on this, but after searching Google and various other sites I wasn't able to return anything regarding Invalid Certs IE7 and urlReferrer. TIA Randy Will this be an issue in the actual production version of the apps?
Self-signed certs are generally only used for dinking around in the lab, not for real deployments. I was not aware of this particular problem with IE7, so thanks for bringing that up. As to whether there is a fix, I have no idea. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- <CynicalIr***@gmail.com> wrote in message news:1171555857.087799.189460@a34g2000cwb.googlegroups.com... > Currently we are working on a secure application (SSL, Client Certs > all that good jazz) when we discovered IE7 has an issue reporting the > referring url when an Invalid SSL certificate is encountered. The > solution we have come up with will pass a hashed value as a > querystring to the validation application. Once there, we have hashed > values of our sites in place, they are compared and the proper site is > selected. I know there are other ways that are better and more > efficient then this, but with the legacy applications we have to > support with the new security model this was the easiest solution with > out re-engineering old code that is going to be modernized to .NET in > the coming months. > > Now, the question, has anybody found a work around when using IE7 and > self signed certs to get around the urlReferrer problem? > > We have tested IE7, IE6, NS and FireFox 1.5 and 2.0. The only browser > that will not report back the referring url is IE7. After snooping the > packets sent, it looks as if IE7 actually sends out an HTTP stream to > the browser instead of an informational dialog like most browsers. I > haven't looking in to the nitty gritty on this, but after searching > Google and various other sites I wasn't able to return anything > regarding Invalid Certs IE7 and urlReferrer. > > TIA > > Randy > Thanks for the reply Joe. Currently this will be an issue on our
production servers. Hence the reason for the hashing and querystring of the referring site, if we just experienced this on our dev site it wouldn't be a major issue. I've setup some functions to check the urlReferrer, if it has issues then it will look for the querystring reference. We are waiting to role out new servers, once we get those servers in stance this shouldn't be an issue anymore as we will be able to get proper certs from the DoD for the new boxes. However, for development, we have to initiate the connection, tell IE7 to accept the cert, get the error, then go back to the originating page and start again. After the cert acceptance takes place the urlReferrer works until IE7 is closed. This makes perfect sense, just providing the information as an FYI. Randy 
Other interesting topics
How to bypass Forms Authentication on selected pages programmatica
RsaCryptoServiceProvider doubt How to generate validationKey ?? Books on .net security Client certificates do not show up installing the last Root Update Client Certificate Selection Could not establish secure channel for SSL/TLS. Impersonation in .NET 2.0 Do any microsoft buildtime dependancies C#/C/c++/VB/etc. need to be updated for the 2007 policy on d Display of encrypted data |
|||||||||||||||||||||||
