Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)

Wed Aug 4 13:32:21 BST 2010

On 4 August 2010 12:35, James Firth <james2 at jfirth.net> wrote:
>
> Not according to RFC 1738 it's not.

For reasons I'll explain, that may not be relevant.

>
> Just because there is a weakness there it doesn't necessarily mean anyone
> using the syntax should be prosecuted for attempting unauthorised access.

Agreed and I don't think anyone on this list disagrees. Note that you
elide "should be prosecuted" with "is committing a criminal offence":
the former is normative, the latter is not. I agree with you on both
points because you qualify it with "necessarily". Of course.

>
> A url http://ejf.me/../../ is perfectly valid.
>
> If the server does not intend to provide access above "document root" then
> the server must handle rejection.
>
> If the server does provide access above "document root" then by the server's
> own admission through issuing a 200 OK response is indicating that access is
> AUTHORISED.

Not as the law understands it. Merely because something is possible
doesn't mean that it is therefore permissible.

Section 17(5) either defines or amplifies the definition of authorisation:

"(5) Access of any kind by any person to any program or data held in a
computer is unauthorised if—

(a) he is not himself entitled to control access of the kind in
question to the program or data; and

(b) he does not have consent to access by him of the kind in question
to the program or data from any person who is so entitled."

If you happen to believe that a website has been compromised and
"know" (which is a strong statement and will be hard for the
prosecution to prove) that a particular URL (whether malformed or not)
will permit you to gain access to a part of the website you should not
- or better that it will give you access you should not have (since
websites don't have parts) and you know also that you don't have
consent to do it, then trying that URL to see if it works would
constitute a s.1 offence.

Its irrelevant whether or not the owners of the website are at fault
for permitting you to do so and irrelevant whether or not they have
permitted (since you may still be guilty of the attempt even if the
action is impossible).

So the moral is: don't supply a URL to a website where you know that
success will give you access to data to which you are not entitled,
for whatever reason.

>
> It's not just an unlocked door, it's a shop with a sign outside saying "We
> accept all visitors who conform to RFC 1738 - feel free to walk through the
> door corresponding to your valid request".

As I tried to say earlier, trying to use other world examples of
situations when arguing about what the law actually says is misleading
and unhelpful. The law won't proceed by analogy in that way, and if
you tried it in any senior court, you'd get short shrift. The law on
access to property is not the same as the law on computer misuse. It
could have been drafted so it was, but it wasn't.

Morality is different: we could take the view (as the common law did
in the past about fraud) that the criminal law won't help you out if
people try to do things you don't want them to - i.e. its up to you to
protect yourself - but that is a different question.

>
> If the server operator did not intend to provide access above server root,
> then they should have configured their server to provide an appropriate
> (4xx) denial.

Do we know they did not? You commit an offence of attempt if you try
to do this even if the server operator has indeed secured themselves
against unauthorised access. What the web server does or does not do
is not nearly as important as one might think because of the Criminal
Attempts Act.

>
> In this case it's the victim who cannot claim ignorance of the protocol is a
> valid excuse for launching a prosecution for something which ultimately is
> their own fault.
>
> It's NOT even due to a bug in the software the server using.  It's a failure
> to understand the services the server operator is willingly offering.

I'm not sure what "it" is in this context, but in order to succeed a
prosecutor has to prove that defendant _knows_ that their access is
unauthorised. If you think your access is authorised you are quite
safe.

-- 
Francis Davey