- From: Koen Holtman <koen@win.tue.nl>
- Date: Mon, 18 Dec 1995 16:46:45 +0100 (MET)
- To: Benjamin Franz <snowhare@netimages.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Benjamin Franz: > >On Sun, 17 Dec 1995, Koen Holtman wrote: > >> Not that I expect many providers to implement such a filtering >> mechanism, most would treat web spoofing like they treat news spamming >> and mail forging now: forbid it in the terms of service agreement and >> deal appropriately with any found violations. > >Ummmm...Considering the immense magnitude of both spamming and forging >today, this is not a convincing argument for leaving it to local option. Hmm, forging does not happen that often AFAIK. Anyway, the kind of web spoofing we are talking about here does not have the same global impact as spamming and forging: with the rule that 2xx Location headers not pointing to the server that generated the response should be ignored, this kind of web spoofing can only harm users that share the host with the spoofer. [...] >The other route (local filtering) just places too much reliance on good >security management at the local level. As the impact of mismanagement would be limited to local content, I have little problems with this reliance being placed. Service providers with security management lousy enough to allow prolonged web spoofing will simply loose their customers and die. [...] >On large systems with thousands of customers with many special cases, it >would be a logistical nightmare even for experienced admins. Not if the Location header filter is user-id based as described before. Experienced admins could create such a filter in a few hours, if it is not already a standard option of future 1.1 http servers. In other words, I don't share your pessimism. >Benjamin Franz Koen.
Received on Monday, 18 December 1995 07:53:40 UTC