If you're an intelligent hacker, you can probably fingerprint the responses. A 404 issued by the webserver itself is probably going to have a slightly different packet response to a 404 generated by application level code. Might not be obvious under some situations (e.g. a single user making requests), but might become obvious under others (e.g. send multiple simultaneous requests) Cheers Ken -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Stephen Rider Sent: Thursday, 7 June 2007 12:40 AM To: thelist at lists.evolt.org Subject: Re: [thelist] 403 or 404? On Jun 6, 2007, at 9:20 AM, patrick wrote: > Stephen Rider wrote: >> If the person is not logged in at all, they get a 30x redirect to a >> "Please log in" page. >> >> IF they are logged in and try to access something they don't have >> rights to, they get a 404 page that says something noncommittal such >> as "The page was not found or you don't have access." > > Saying this '...you don't have access.' does not do this '...leaves > the > obscurity barrier to the hacker' > >> That's leaves the obscurity barrier to the hacker, but gives some >> info to the legit user who made a mistake. Sure it does. As others have pointed out, any hacker worth his salt is going to know that 404s are frequently used for access denied pages, so you're not giving them info they don't have there. What you ARE doing is preventing them from knowing if the particular object exists. /object/21 (access denied) gives the exact same result as /object/36 (doesn't exist) or /object/abc (invalid).