Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] detect fake HTTP referrer
- Date: Thu, 17 Jan 2008 06:28:18 -0500 (EST)
- From: Joe Larabell <fred62@example.com>
- Subject: Re: [tlug] detect fake HTTP referrer
- References: <78d7dd350801160011x2db75b54ofdbffb76d41c5044@mail.gmail.com> <20080116112944.ab6ae181.attila@kinali.ch> <78d7dd350801160622taa0faf3sa072283d59964936@mail.gmail.com> <20080116112603.G63335@isris.pair.com> <87sl0x32p3.fsf@uwakimon.sk.tsukuba.ac.jp> <20080117012834.E63335@isris.pair.com> <878x2o3iv4.fsf@uwakimon.sk.tsukuba.ac.jp>
> Suppose I have a public domain image on my page that I dig up from > some archive of such. Someone else likes the image and decides to > use it on their page as well. That's legal.
My point is that he doesn't know that it's legal.
I see. So you're saying that his linking to my URL could also be a way of avoiding the hassle of having to even figure out whether the image is legal. That's a good point. So there are three possible motivations: (a) laziness/inexperience, (b) copyright avoidance, or (c) letting someone else pay the bandwith for the bulk of their site.
> .... That's my bandwidth and, even though I get a certain amount > included in my montlhly allottment, it's not a *free* > resource. That's theft.
AFAIK it's not. I can understand that you dislike it, but that doesn't make it theft.
IANAL but it seems to me that intentionally using my paid-for ISP account to serve images for their site without my permission should fall in the same bracket as someone using another's WiFi access point without their knowledge. The latter is of very questionable legality and there have been arrests and fines (I Googled "WiFi theft" to verify that).
> > On every page that contains images, set a cookie with a short expiry > > (say 1 hour), and insist on the cookie before you give away an image. > > But the cookie is just a string which can be spoofed. Unless you set a > unique cookie per visitor, miscreants can still concoct an HTTP request > that mimics the fixed-value cookie to access the file.
Unique is fine with me. (But I thought "short expiry" already implied that; I don't see how to have short-expiry cookies that are fixed-value.)
According to the original cookie spec, all that comes back to the server on subsequent requests is:
Cookie: NAME1=OPAQUE_STRING1; NAME2=OPAQUE_STRING2 ...
Unless I'm reading this wrong, the expiry date doesn't get sent back when the next request is made. So if the *value* of the cookie is simply set to something like "my-little-secret" and the only thing that changes with each request is the expiry date, the illicit client can easily ignore the expiry date and send the fixed string back with his request. He'd have to do pretty much the same thing to spoof the Referer header anyway.
---
Joseph L (Joe) Larabell Never fight with a dragon
http://larabell.org for thou art crunchy
and goest well with cheese.- Follow-Ups:
- Re: [tlug] detect fake HTTP referrer
- From: Stephen J. Turnbull
- Re: [tlug] detect fake HTTP referrer
- References:
- [tlug] detect fake HTTP referrer
- From: Nguyen Vu Hung
- Re: [tlug] detect fake HTTP referrer
- From: Attila Kinali
- Re: [tlug] detect fake HTTP referrer
- From: Nguyen Vu Hung
- Re: [tlug] detect fake HTTP referrer
- From: Joe Larabell
- Re: [tlug] detect fake HTTP referrer
- From: Stephen J. Turnbull
- Re: [tlug] detect fake HTTP referrer
- From: Joe Larabell
- Re: [tlug] detect fake HTTP referrer
- From: Stephen J. Turnbull
- [tlug] detect fake HTTP referrer
- Prev by Date: Re: [tlug] detect fake HTTP referrer
- Next by Date: Re: [tlug] detect fake HTTP referrer
- Previous by thread: Re: [tlug] detect fake HTTP referrer
- Next by thread: Re: [tlug] detect fake HTTP referrer
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |