Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)
James Firth
james2 at jfirth.net
Thu Aug 5 08:23:49 BST 2010
> As long as the url is pointing to something on the public side of the
> url's root, I may have no idea whether or not the content I will find
> is
Where are you getting the definition of "public side"?
If I choose to configure my web server to serve pages "below root" -
perfectly valid by protocol - then anyone who accesses these pages are de
facto authorised in doing so.
***
The ** only way ** one can establish whether a request is authorised is to
send the actual request and look at the response.
***
This is a key fact applicable to request-response protocols. Just look at a
[non-exhaustive] selection of response codes for HTTP/1.1 in RFC2616
200 OK
201 Created
202 Accepted
203 Non-Authoritative Information (since HTTP/1.1)
204 No Content
...
300 Multiple Choices
301 Moved Permanently
302 Found
303 See Other (since HTTP/1.1)
...
400 Bad Request
401 Unauthorized (*)
402 Payment Required (*)
403 Forbidden (*)
404 Not Found
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required[2]
408 Request Timeout
409 Conflict
410 Gone
There is a definition 401 UNAUTHORIZED and one cannot establish that the
request is unauthorized without sending the request.
Clearly applicable in such judgements.
James Firth
More information about the ukcrypto
mailing list