1. Home
  2. Announcements, Help & Testing

Moderators (requests and notices)

Posted on
Page
of 803
First Prev
/ 803
Last Next
  • #5776

    So it's asking for it! Stupid. *stupid *people.

    Take all they have, at once!

  • #5777

    No. I think I made that clear in my post.

    If you falsify headers in order to access a file, does that constitute unauthorised use of a computer network? Dunno, ask a lawyer. I haven't studied the relevant laws in enough detail to have a worthwhile opinion on that question, but falsifying headers doesn't seem very different from using a password not issued to you by the owner of the service.

    But that's my point right there... referrer headers aren't good enough to be trusted. They don't even need to be falsified, because if the site that had the link is on SSL then the header won't even be sent.

    It's not an authentication mechanism, and you shouldn't use it to derive authorisation.

  • #5778

    The handbag on the chair analogy would be the tea-leaf saying "may I take your bag", and the handbag owner - let's call them hippy, for sake of argument - saying "but of course".

    As opposed to saying "but of course" and substituting the handbag with a paperbag full of tynan paste.

    Or saying "Fuck you - 403, motherfucker".

    Ok, so the analogy does not really work.

    What we are looking at is one person (the linker) taking a finite thing that another person (site owner) has paid for.

    You cannot copy bandwidth, it's an actual finite resource.

    But that's not theft because the owner was not able to stop the linker.

    What is it then?

  • #5779

    It's hyperlinking dammit, it's what the whole web is based on.

    I, I'm... just flabbergasted.

  • #5780

    then they can say so, and in a variety of ways, some that work better than others

  • #5781

    munch, munch..

  • #5782

    The entire web is based on linking to a picture on my personal website?

  • #5783

    Then the chap should learn about security and do the right thing on his server and return a HTTP 403 header.

    That's what the 403 is for.

    Look, read this: https://www.owasp.org/index.php/Using_referer_field_for_authentication_or_authorization

    Using the referrer header for authentication is considered a vulnerability.

    It remains... stupid.

  • #5784

    to me it sounds like someone trying to do a card trick and putting the card they want someone to pick at the front and the most awkward ones right at the back. Then when the person decides they want one from the back, the guy holding the cards getting all pissy and upset because they weren't "meant" to pick that one.

  • #5785

    tiswas put it betterer

  • #5786

    Then the chap should learn about security and do the right thing on his server and return a HTTP 403 header.

    That's what the 403 is for.

    Look, read this: https://www.owasp.org/index.php/Using_referer_field_for_authentication_or_authorization

    Using the referrer header for authentication is considered a vulnerability.

    It remains... stupid.

    So we are back to "he's too stupid to stop me, so it's ok"

  • #5787

    It may be easy, and the server may be saying "take me, take me", but is it ethical?

  • #5788

    They don't even need to be falsified, because if the site that had the link is on SSL then the header won't even be sent.

    blank header = no access to my big picture

    That does mean people with referrer turned off in their browser are inconvenienced, but they've done it deliberately and know how to undo it for my site. And if people can be arsed to falsify headers, they're welcome to my pictures, since they are putting in far more effort than the meagre reward deserves. As I said, it's not perfect, but then neither is the lock on my front door - even I know half a dozen ways somebody could get through my door without either stealing my key or asking my permission, and I'm not that interested in physical security hardware hacks so there are probably six more that I've never heard of.

  • #5789

    So we are back to "he's too stupid to stop me, so it's ok"

    Yes.

    Because using a referrer header for security is totally fucking batshit crazy stupid.

  • #5790

    Well, let us go and take advantage of all the stupid people, then.

  • #5791

    munch, munch..

    Is your hammer broken?

  • #5792

    Well, let us go and take advantage of all the stupid people, then.

    I thought that was what the internet was for? ;)

  • #5793

    I have these magic beans...

  • #5794

    I have these magic beans...

    Me too

  • #5795

    I stole them.

  • #5796

    It's ok if they couldn't stop you

  • #5797

    using a referrer header for security is totally fucking batshit crazy stupid.

    True, but we're not really talking about using it for security, are we? It stops stupid people from using bandwidth I don't want them to use. It doesn't stop clever people, but there are so few of them that I can afford to let them use the bandwidth.

    If I had something on my server which would cost more than just bandwidth if it were accessed by somebody I didn't want to see it, I'd use a different method of sorting the authorised from the unauthorised.

  • #5798

    Someone should tell Balki, he might be interested in all this hotlinking business.

  • #5799

    Exactly the same for me wmv. I then go into the page info, copy the filename and go to it direct. Nearly always works but it's a faff.

  • #5800

    https://www.lfgss.com/member30864.html

    posting his own stuff in ebay whilst being a nursery dodger

Page
of 803
First Prev
/ 803
Last Next
  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
Post a reply
About

Moderators (requests and notices)

Posted by Avatar for Velocio @Velocio

Actions

About Terms of Use Privacy Policy Cookie Policy Report a problem