- From: MegaZone <megazone@livingston.com>
- Date: Fri, 8 Nov 1996 07:15:31 -0800 (PST)
- To: www-talk@w3.org
Once upon a time Benjamin Franz shaped the electrons to say... >They are in a fool's paradise if they think that hiding it behind a script >can force people to see the license. I could mention the MAJOR adult web >site that has placed their authentication on one server and their files >and search engine on a *different* server - and trusted to the fact they >used a POST method form to shield the search engine from direct >unauthorized access. They were wrong. The source files are not accessable to the HTTPD. Sure they could hack the server - but then any system is vulnerable to that. You have to trust the firewall, etc on that. The only way to get the files send to you is this one CGI, and the only way to call that CGI is the form. If you try calling it with any form that doesn't supply the required info then it refuses to send the files. It also logs several HTTP environment variables to backup the server logs and provide links. You'd need to forge domain name and IP address in addition to giving all bogus info on the form. Sure it can be done, but not easily. That adult site system sounds weak. No surprise it doesn't work. >If you want to make sure people read your license - put the files behind >an .htaccess wall and make them ONLY accessible with a login password that >is changed daily and given on the license page. And make the login realm They are *only* accessable via the one CGI, which is only accessable via this form (which is generated by the CGI on the first call). Yes, someone else could make another form that supplies all the valid input to get it to send the source, but that would be a deliberate circumvention and they must have knowledge of the form to copy it, so they saw the license, QED. >a confirmation message for the license. Still won't stand up in a court >though. Nothing not using cryptographic certs will (and not even those in >all states). Well, the lawyers disagree with you on that. Before we were allowed to do this they insisted on researching it, and they feel that it is defensible and that it will hold up. Don't ask me, I'm not a lawyer. >Not as many people as *very experimental* extensions to HTTP. Well over So, they just have to change the save as name. No big deal. It is convenience. >90% of browsers tdoay support cookies. There are other approaches as well Well, I've been watching the user agents dl'ing the source. less than 90% by far are NOT browsers that support cookies. Quite a number of Lynx and Mosaic hits. -MZ -- Livingston Enterprises - Chair, Department of Interstitial Affairs Phone: 800-458-9966 510-426-0770 FAX: 510-426-8951 megazone@livingston.com For support requests: support@livingston.com <http://www.livingston.com/> Snail mail: 6920 Koll Center Parkway #220, Pleasanton, CA 94566
Received on Friday, 8 November 1996 10:15:37 UTC