Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)

James Firth james2 at
Thu Aug 5 08:23:49 BST 2010

> As long as the url is pointing to something on the public side of the
> url's root, I may have no idea whether or not the content I will find
> is

Where are you getting the definition of "public side"?

If I choose to configure my web server to serve pages "below root" -
perfectly valid by protocol - then anyone who accesses these pages are de
facto authorised in doing so.


The ** only way ** one can establish whether a request is authorised is to
send the actual request and look at the response.


This is a key fact applicable to request-response protocols.  Just look at a
[non-exhaustive] selection of response codes for HTTP/1.1 in RFC2616

200 OK
201 Created
202 Accepted
203 Non-Authoritative Information (since HTTP/1.1)
204 No Content


300 Multiple Choices
301 Moved Permanently
302 Found
303 See Other (since HTTP/1.1)


400 Bad Request
401 Unauthorized  (*)
402 Payment Required  (*)
403 Forbidden  (*)
404 Not Found
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required[2]
408 Request Timeout
409 Conflict
410 Gone

There is a definition 401 UNAUTHORIZED and one cannot establish that the
request is unauthorized without sending the request.

Clearly applicable in such judgements.

James Firth

More information about the ukcrypto mailing list