Hiding Referer information from W3C IIS logs

Hi,

I have a website whose URL is of the form https://<blah>?SecureInfo=XYZ.

If the IIS 6.0 admin turns on logging and enables Referer logging (by going
to inetmgr, right-clicking the website->Properties->WebSite. Check "enable
logging", select "W3C Extended Log File Format", push Properties button,
select Advanced tab, click Referer.), then he will see
https://<blah>?SecureInfo=XYZ in the logs.

Is there any way I can construct a URL such that "SecureInfo=XYZ " will not
appear in the IIS logs even though IIS logging of Referer is enabled?

Thanks

On May 20, 12:06*pm, A <A...@discussions.microsoft.com> wrote:
> Hi,
>
> I have a website whose URL is of the form https://<blah>?SecureInfo=XYZ.
>
> If the IIS 6.0 admin turns on logging and enables Referer logging (by going
> to inetmgr, right-clicking the website->Properties->WebSite. *Check "enable
> logging", select "W3C Extended Log File Format", push Properties button,
> select Advanced tab, click Referer.), then he will see
> https://<blah>?SecureInfo=XYZ in the logs.
>
> Is there any way I can construct a URL such that "SecureInfo=XYZ " will not
> appear in the IIS logs even though IIS logging of Referer is enabled?
>
> Thanks



The problem is that you failed to encrypt data that needs to be
secured, and you transmitted that secured data over fields that the
web server is obligated to faithfully log.

I suggest you encrypt data that is supposed to be secured. SSL is
insufficient because that just handles the pipe -- you need it to be
secured at the endpoints as well.

However, your problem is unsecurable given that configuration. The IIS
6.0 admin can always capture the unencrypted form of any SecureInfo
that you send to the web server, no matter how you encrypt it. It may
not be as easy as turning on logging for a field, but it is easily
doable.

At this point, you need to clarify how secure you really desire your
data to be.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//