Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] detect fake HTTP referrer



Joe Larabell writes:

 > really need the file, I generally just leave. Requiring cookies for such a 
 > lame reason (file d/load) is likely to cost you customers.

Could be.  If so, we'll move on to the next under the radar scheme for
customer tracking.  But NVH clearly wanted to track his customers
pretty badly.

 > I thought the point was that he didn't want anyone else offering the file 
 > for d/load but himself (I think the follow-up also clarified that).

No, he clearly allows others to offer it, but he wants it to come from
his site, and he wants a correct referrer.

 > > Actually, in the U.S. the correct term "obeying copyright law without
 > > checking the license".

 > What I was referring to has nothing to do with copyright.

I know.  Do you understand what I was referring to?  Let's spell it out.

 > Suppose I have a public domain image on my page that I dig up from
 > some archive of such. Someone else likes the image and decides to
 > use it on their page as well. That's legal.

My point is that he doesn't know that it's legal.

Do your images all bear copyright and licensing information on them?
Do all your pages specify which if any images have restrictions on
them?  Are you *sure* your licensing information is correct, and if
so, how is this person supposed to know that you're different from all
the schmucks and schmuck corporations that just bogart images?

If he uses an URL instead of copying the content, then the whole legal
mess is your responsibility.

 > But instead of copying the file to *his* server, he just puts *my*
 > URL into the <img> tag. Now, when someone visits his page, his
 > server takes the hit for the HTML but *my* server supplies the
 > image. That's my bandwidth and, even though I get a certain amount
 > included in my montlhly allottment, it's not a *free*
 > resource. That's theft.

AFAIK it's not.  I can understand that you dislike it, but that
doesn't make it theft.

 > > On every page that contains images, set a cookie with a short expiry
 > > (say 1 hour), and insist on the cookie before you give away an image.
 > 
 > But the cookie is just a string which can be spoofed. Unless you set a 
 > unique cookie per visitor, miscreants can still concoct an HTTP request 
 > that mimics the fixed-value cookie to access the file.

Unique is fine with me.  (But I thought "short expiry" already implied
that; I don't see how to have short-expiry cookies that are
fixed-value.)



Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links