Re: If-Modified-Since and forged dated from Shel Kaphan on 1995-08-17 (ietf-http-wg@w3.org from July to September 1995)

From: Shel Kaphan <sjk@amazon.com>
Date: Wed, 16 Aug 1995 17:08:00 -0700
To: Lou Montulli <montulli@mozilla.com>
Cc: Shel Kaphan <sjk@amazon.com>, Larry Masinter <masinter@parc.xerox.com>, bne@bne.ind.eunet.hu, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <199508170008.RAA15301@bert.amazon.com>

Lou Montulli writes:

 > With most current implementations of HTTP servers it is impossible to
 > "get it right for itself".  HTTP servers reference a file system
 > that can be changed at random.  The HTTP server can only rely
 > on the last modified date of a file and that date can be inaccurate.
 > Adding an additional size checksum allows the server to "get
 > it right for itself" much more often.
 > 

Can't disagree.  I just have to wonder what would be going on that
would be introducing such strange modification date anomalies.  Are you
saying perhaps that NFS uses the remote system's date for the mod date
when a file is saved on a server(???), and that people might have
unsynchronized local networks, and that therefore there might be
legitimate reasons for a file to change but have a non-monotonically
increasing mod date?  

Maybe I've been looking in the wrong places, but I've just never seen
much evidence of mod-date tampering that would require much worry
about it.  That said, I can hardly disagree that if it were happening,
checksums would help detect it.  And that said, I also do not object
to this existing as an optional protocol feature; it isn't much of a
hot button for me.  I was just pointing out the (perceived)
cost-benefit .

	...
 > Perhaps reliability is not as important to your systems as it is
 > to ours?  If that's the case, make your servers ignore size= and
 > only use the date. 
 > 

Au contraire.  But since the systems I have been working on generate
most if not all pages dynamically, and they really are dynamic, I
don't even generate last-modified headers, due to (a) the practical
fact that Expires cannot be used yet, and (b) the fact that most
existing proxy caches interpret lack of last-modified to mean "do not
cache this".  But even were that not the case, I don't allow arbitrary
changes to our online website from around a local network such that
the problem could occur except by malicious intent.

 > :lou
 > -- 
 > Lou Montulli                 http://www.mcom.com/people/montulli/
 >        Netscape Communications Corp.

--Shel

Received on Wednesday, 16 August 1995 17:12:26 UTC