Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] detect fake HTTP referrer



Joe Larabell writes:

 > > > .... That's my bandwidth and, even though I get a certain amount
 > > > included in my montlhly allottment, it's not a *free*
 > > > resource. That's theft.
 > >
 > > AFAIK it's not.  I can understand that you dislike it, but that
 > > doesn't make it theft.
 > 
 > IANAL but it seems to me that intentionally using my paid-for ISP account 
 > to serve images for their site without my permission should fall in the 
 > same bracket as someone using another's WiFi access point without their 
 > knowledge. The latter is of very questionable legality and there have been 
 > arrests and fines (I Googled "WiFi theft" to verify that).

The analogy breaks down because the anonymous people who download
images from your site are doing so with your knowledge and permission.
In the WiFi situation, that ain't so.  If you want to make sure the
references come from your site or people who have your permission to
do so, you'd better not put up the content for anonymous download.
Consider: you could easily get hosed by a bug in a 'bot (eg, something
like "GET /rboots.txt" could cost you a year's worth of bandwidth!)

 > According to the original cookie spec, all that comes back to the server 
 > on subsequent requests is:

Right.  I'm beginning to see why you're having such problems with this
whole conversation.  The *server* must enforce cookie validity.  This
is not just a matter of protecting itself from ethically-challenged
clients.  "Never attribute to malice that which can be explained by
mere stupidity."  You think in terms of burden-sharing, but as "nice"
as it sounds in sufficiently abstract theory, as soon as you start
thinking about the practical consequences, the economics go wonky.

In the same way, the server must enforce any preconditions on
downloads.  Granted, images consume enough bandwidth that the zurui
motivations start to come to the fore, but there are good reasons why
servers *should* enforce their desired restrictions, rather than
criminalizing impolite client behavior.


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links