Re: attn. buzzy...red x....first draft....
- From: hummingbird <XSJCLSIAEMCA@xxxxxxxxxxxxx>
- Date: Thu, 27 Oct 2005 20:32:47 +0100
On Thu, 27 Oct 2005 14:47:39 +0200, abelard <abelard2@xxxxxxxxxxx>
mysteriously appeared thru the usenet mist to inform us thus...
>http://www.abelard.org/technology/red_x.php
...my comments [inside brackets]
A number of people have complained that they cannot see the images
at the abelard.org website, that instead they see a red ‘x’ or another
symbol for unfound images.
[Nice to see you've finally owned up to there being other people
who have suffered from this problem viewing your website!!!
Honesty is always the best policy lardy ;;--)) ]
First of all, this is not a problem with the abelard.org server, but
a problem with the setup of the user's, that is your, computer.
[I disagree with this assertion, but it's not entirely unexpected.
Do you wish to make your website easily available to users or not?
The way your website is currently set-up requires users to risk their
privacy/security - albeit probably in minor ways.]
In all the cases we have encountered so far, the user in question
was using a ZoneAlarm personal firewall which was set to block what
ZoneAlarm calls “personal headers”.
[ZA actually calls them 'private headers'. Anyway, that's certainly
true w/r/t myself, as I reported some while back but I cannot speak
for users of other firewalls.]
That option appears to cause the communication system between your
web-browser and standard web servers to break.
[I don't think it's right to say the system "breaks", users just get
the Red X syndrome.]
So-called “personal headers” are not in any way related to security or
privacy, but are just another example of security companies using
vague and ominous sounding words to alarm unwary customers into paying
for useless, and often counterproductive, wares.
[They're still called 'private headers'...]
[This is blather. *Any* information about a user which is passed over
to another website *is* a matter of privacy and possibly security.
It also depends on exactly what data is passed over. I have not
investigated this in detail but the users IP address is passed over
(per tas) and their computer name 'may' be also. The users IP address
can amount to a security risk with some other dodgy websites if they
use a static address (like myself). The data which is passed over may
be recorded in server logs and used/manipulated by website-owners.]
What follows is a fairly technical and involved explanation of
“personal headers”, why they are necessary and why they are not
relevant to your computer’s security or your privacy.
[blather - and they're still called 'private headers'...]
You do not need to read or follow this explanation in order to fix
your problem with images from abelard.org (or elsewhere) not showing:
for that, simply unblock “personal headers” in your ZoneAlarm
firewall.
[Sure ...but what about my privacy? ...and they're still called
'private headers']
[chunk deleted]
The server then checks the headers you have sent, and if it decides
your information is kosher, it sends you the page or image you want.
There are also various acknowledgment messages, so that it usually
takes a total of seven messages - including setting up the TCP/IP
connection - between your computer and the server to get (download)
one file.
[Ask the BBC and MANY other sites why they don't "break" when
'private headers' are switched off by users. So the assertion by
the auroran sunset that the data is 'required' by http is false.]
The HTTP communication system is what is known as “transaction-less”
in techie-speak. That means that there is no memory in the HTTP
system. If you ask for one document and then a second, HTTP does not
have any intrinsic way to tell the server that the two requests are
related. This has advantages and disadvantages. It makes the web
system extreme flexible and resistant to failure, but can be
inconvenient. To compensate for this inconvenience, a new header was
invented, called the “referrer header”.
[see comments above about recording in server logs.]
referrer headers
The referrer header tells the server from which page your request
came.
There are three possibilities:
You type an address into the address bar of your browser and click
enter. As you have not come from anywhere, the referrer header should
be blank.
On a page somewhere on the internet - with a site address of Address1
- you click on a link. As you have come directly from Address1, the
referrer header will contain Address1.
You ask for a page - with a site address of Address2 - that contains
images, or other files. All of these files - the text page and the
images ‘contained’ in it - are separate and so the server must be
asked for them separately. Your browser, seeing that the downloaded
web page needs these images, asks for them. The referrer header in
those requests will contain the address Address2.
Only in the second case is there any possible privacy intrusion,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[auroran sunset finally admits to their being a privacy issue which
contradicts his earlier assertion.]
albeit very minor. Minor because the only information the server will
have about you is your IP address, what page on their server you
wanted to see and what page you came from. This does not tell them who
you are......
[Not necessarily so. One only has to match a static IP address on
usenet with an IP address on your website logs to match up the user.]
It does not tell them anything else about your browsing habits, just
who directed you to their site. Of course, if you have somewhere told
them who you are, they can make the connection; but you have not told
any site that you do not trust who you are, have you???
[As said above, I have not investigated which pieces of data are
actually passed over; there may be pieces which tas is unaware of
or ignoring in his attempt to pass the buck.]
In the first case, there is obviously no problem because there is no
referrer header at all. In the third case, there is no problem because
the referring page is one the server already knows that you wanted to
read - you just asked the server for it!
It is these referrer headers that the ZoneAlarm-ists are apparently
calling “personal” headers.
[ZA still calls them 'private headers'...]
leaching
To understand how referrer headers relate to the original red x
problem, you have to understand little about “leaching” and how
website owners deal with it.
Leaching is a form of theft - a website places an image or another
large file, which is actually on another person’s server, onto one of
their own pages. When a user looks that page, the user sees the image
as if it is part of the website they are looking at, but it is the
server on which the file lives that does the work and pays the cost.
Running a server costs money. Most of that money is for buying
“bandwidth”. This money is paid according to the amount of data sent
to users (visitors to that website), usually paid monthly. A leacher
causes the image owner to pay for the leacher to receive the benefit
from the image owner’s work, which is being called from the leacher’s
website by the leacher’s web-visitors . Leaching is often referred to
as “stealing bandwidth”.
Fortunately, there is a 100% effective method to stop leaching. You
tell your server not give images, or other big files, to anyone who
does not have a referrer header that is part of your own website. Thus
if a user asks for one of your pages, they can get that page and all
the images without any problem, because your pages are obviously on
your own website. If the user asks for an image directly, or via
someone else’s site, your server tells them to go away and their
browser shows them a red x.
[Leaching is the main reason IMV why some servers are setup to
require some pieces of data contained in 'private headers'.
You were not aware of this set-up on your own website until I raised
the Red X issue, so it presumably wasn't a problem for you. The rest
of the blather from auroran sunset about TCP/IP etc is just that.
You should come out and say outright: we stop leaching by: . . .]
Unfortunately, ZoneAlarm is apparently more concerned with creating
fear of non-existent threats than with not damaging the functioning of
your computer, and so removes all referrer headers, even those that
are for the same site as the file being requested. As stated above,
the solution to this problem is simple and harmless: unblock “personal
headers” in your Zonealarm software. You also might consider politely
informing ZoneAalarm of your opinion of their behaviour.
[Pants.]
You could also consider using a different firewall. There is more
about firewalls in Software for security.
[Sure, let's all change our firewalls to solve a problem viewing
lardy's website!]
This document was kindly contributed to abelard.org by the auroran
sunset.
[Oh dear. Time to switch off 'private headers'!]
[I also said some while back that there are other reasons why the
Red X can appear and one of these is the coding technique/syntax used
for calling website images. This may not be the case in your website
but it's once again worth mentioning that eg the BBC website doesn't
suffer from Red X with 'private headers' switched off in ZA.]
ps - greg haemorrhoids knows something about http 'headers', he might
want to comment but I basically see tas's document as an attempt to
pass the buck onto users, although I do see the issue of leaching as
worthy of consideration.
--
"Turkey should join the EU 'because it is a European country'"
....Jack Straw 2nd October 2005 in Luxembourg.
BBC: "only 22% of citizens across Europe want Turkey to join the EU"
.
- Prev by Date: Jews fire missiles into Gaza refugee camp
- Next by Date: Re: Scots firm on Iraq payments list
- Previous by thread: Re: attn. buzzy...red x....first draft....
- Next by thread: Re: attn. buzzy...red x....first draft....
- Index(es):
Relevant Pages
|
