Being safe on the internet (was Re: Here we go again - ISPDPI, but is it interception?)

[Tom Thomson]

When I first come across link to a website, say http://www.example.com/something/ it may give me a 404 error response (meaning that the directory something has no default file in it).  At that point I don't know whether access to http://www.example.com/ is authorised or not - and the advice most commonly given for dealing with 404 responses of this sort (and often contained in a custom 404 error page) is to go to the root: http://www.example.com/.  That may deliver a 403 response - if it does, I now know that access to the root is not authorised - but that is in fact very unusual, it may deliver me another 404 response (quite common, bad website design), or it may put me on the websites default page (this is the norm and is actually good design).  I think that no-one with any understanding of the web (and in their right mind) would suggest that I knew access was not authorised when I first tried access to that website root.

Now I'm at the root http://www.example.com/ and I have an unhelpful page of some sort, perhaps a 404 error page.  I don't know whether http://www.example.com/../ is authorised or not.  If it is, I may find a useful page there that is (or enables me to find) either the site's default page or the page I was originally directed to (through the link which delivered a 404 error, presumably either because the page had been moved since the link was created or because a typing error was made in creating the link).  If it isn't, I may get a 403 error response to tell me that it isn't authorised.  But in what sense could I be said to know that access to http://www.example.com/../ was unauthorised before I tried it to see?

A bit closer to the case in hand: suppose I have some reason to think that the site may have been compromised, and one likely way in which that could happen is that the site owner foolishly authorised access to http://www.example.com/../ as a directory listing with write access permitted.  I don't know whether the owner has indeed granted this access, so I navigate to http://www.example.com/../ to see whether access is authorised and if so in what form it is authorised. I may get a meaningful web page (which doesn't tell me access to this location is unauthorised, since (a) the web page may be in this location and (b) I may be allowed to access to this location in order to get redirected to that page), I may get a 403 error telling me access is unauthorised (but I clearly couldn't know that before I got the error) or I may get a directory listing (which tells me directory access is authorised - whether intentionally or by mistake) and that listing may indicate that from here I have write access to file-store - in which case I will contact the site owners and advise them both of this access being authorised (in case it was authorised by mistake) and of my suspicions that the site has been compromised, and give them notice to remove all my personal data from their systems and cease processing it in any manner (I can't off-hand remember which section of the DPA this notice comes under).

Since I'm a computer professional with a good understanding of website security (amongst other things) if I did what is described in the last paragraph above presumably a magistrate like the one in the case that's been being discussed would presumably find me guilty of a section 1 CMA offense, despite my not having any knowledge of the fact that access was unauthorised, just because at some point in the past some very bad tools made it easy for people to mistakenly permit access that they didn't want to permit, even though anyone using a more modern tool would have to go out of his way and jump through all sorts of hoops to allow this access so that if it were permitted it would (almost) certainly be deliberately authorised.

M