W3C home > Mailing lists > Public > www-html@w3.org > October 2000

RE: Obfuscating downloaded URIs (was: Download question) [Off top ic]

From: Dave J Woolley <david.woolley@bts.co.uk>
Date: Wed, 25 Oct 2000 12:58:57 +0100
Message-ID: <81E4A2BC03CED111845100104B62AFB5824B35@stagecoach.bts.co.uk>
To: www-html@w3.org
> From:	Shelagh Power [SMTP:s.power@syzygy.net]
> 
> ..but what about technologies such as .jsp where you can assign variables
> to
> page names and therefore specify the name rather than the url in the
> servlet
> links? 
> 
	[DJW:]  That's server side, isn't it?  How does the
	name get to the server.  It is sent either as part of
	the URL or as a form parameter.  For a specific browser,
	you might be able to embed that parameter into Java.  It
	makes it more difficult to access, but not impossible - one
	can use a proxy, if necessary, to recover the data.  You
	are locking out more and more users as you go along this
	road.

	Also, once you have server side intelligence, you no longer
	need to obfuscate the URL, as the server can vet each request,
	which was the real point that the other respondent was making.
	My guess is that this question arises from someone using cheap
	hosting space, which doesn't permit user CGI, or who doesn't
	have access to the programming skills to create something that
	is reasonably secure.

	If the problem is one of wanting to make the file cachable, I
	believe the standard approach is to change the name every day
	or so, to make leakage of the URL of limited duration.  You can
	also try to force an end to end If-Modified-Since, although this
	can be defeated.

-- 
--------------------------- DISCLAIMER ---------------------------------
Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of BTS.
Received on Wednesday, 25 October 2000 07:59:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:44 GMT