W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1995

Re: Server Hacking

From: Laurent Demailly <dl@hplyot.obspm.fr>
Date: Mon, 16 Oct 1995 17:23:06 +0100
Message-Id: <9510161623.AA12068@hplyot.obspm.fr>
To: rg@server.net
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Roger Gonzalez writes:
 > Okay, you wise guys.  There's a crucial issue on the table:
 > I've gotten several connections with "User-agent" headers that contain
 > things like:
 >   User-agent: SomeGuyTyping/1234.1234 (ha ha)
 > and
 >   User-agent: TelnetHacker/1.1
 > As you can see, there is vast potential for screwing up vital client s/w
 > statistics-gathering.  We simply must standardize how we snoop each
 > others servers.  :-)

You should not blindly trust (or even use automatically, or put back
in web 'stats' pages) any client sent header or you'll get bad
surprises...
I think that ppl using telnet should not put in any User-agent:
(ok sometimes you must put fake mozillas,... to get the page you want)
Then, for instance I use "w3getv/0.1" for my simple w3getv that just
do an 'HEAD / HTTP/1.0' or "dlgeturl/2.4" when I use my geturl
version, and I imagine that everyone writing his minimal client throw
in his own header, which is not a bad thing as it allows you to know
somehow what 'tool' is used.... Of course ppl can joke/cheat, but
unless you get digital signature of headers you can not avoid it
{is that forseen ?}

dl
--
Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Linux|PGP|Gnu|Tcl|...  Freedom
Prime#1: cent cinq mille cent cinq milliards cent cinq mille cent soixante sept

terrorist cryptographic genetic Khaddafi security DST Croatian
Received on Monday, 16 October 1995 09:26:44 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:34 EDT