Re: attn. buzzy...red x....first draft....
- From: Greg Hennessy <me@xxxxxxxxxxx>
- Date: Thu, 27 Oct 2005 20:19:45 +0100
On Thu, 27 Oct 2005 18:06:59 +0100, "TD" <tdefries@xxxxxxxxxxx> wrote:
>Some firewall admins
Speaking as someone who has secured networks large and small for over a
decade now, here is my 2d's worth.
>don't want the initial HTTP GET operation to send the
>user's operating system,
That's implied from the user agent header, to strip this *will* cause
interoperability problems.
> browser type,
Sites can and do depend on this for proper functionality.
>client e-mail address,
I don't know of any client request header which encodes the clients email
address.
> referring URL,
By all means strip referrers from 3rd party sites, but stripping 1st party
http referrers is an act of silliness.
>and in some cases, intermediate proxy addresses,
Stripping RFC addressed proxy headers & the forwarded for header is
acceptable.
>to the webserver in
>question, because they don't want to leak potentially sensitive data. So
>they will enable something like 'remove client connection info' or 'protect
>privacy' to mask some of it.
Blocking 1st party http referrers does not protect privacy in any way shape
or form.
'firewall' software which strips them blindly is exceedingly broken snake
oil.
>It appears that your site, unlike every other site I can recall accessing,
>won't display images without receiving all that initial HTTP GET info.
It's a very common mechanism to prevent bandwidth theft.
greg
--
"Access to a waiting list is not access to health care"
.
- Prev by Date: Re: Scots firm on Iraq payments list
- Next by Date: Jews fire missiles into Gaza refugee camp
- Previous by thread: Scots firm on Iraq payments list
- Next by thread: Re: attn. buzzy...red x....first draft....
- Index(es):
Relevant Pages
|
