[thelist] 403 or 404?

Ken Moore psm2713 at hotmail.com
Wed Jun 6 09:03:49 CDT 2007


Hi all,

"Lee Kowalkowski" Wrote:

>I think a hacker is in a different mindset and already knows not to
>take 404's on face value, they'd soon catch on to a 404 ploy.

Of course this is true, they do have a different mindset. But my philosophy 
to security is two fold. First, make the cost of hacking in far higher than 
the benefits to the hacker. Second, keep your head down and hide in the tall 
grass.

If a hacker is just poking around and finds nothing, he is much more likely 
move on if we do not put up a banner saying, "You are not able to get in."

INHO,

Ken




>On 06/06/07, Hassan Schroeder <hassan.schroeder at gmail.com> wrote:
> > From a security perspective, you may not want to allow people to
> > confirm the existence of things they're not authorized to access.
> >
> > Minimizing the attack surface is a legitimate reason to return a 404;
> > it's "Not Found" /within the scope of the user's rights/.
>
> >From a developer's point of view, a 403 is a godsend, because
>immediately one thinks "oh yeah, I forgot to authenticate" or
>whatever.
>
>I think a hacker is in a different mindset and already knows not to
>take 404's on face value, they'd soon catch on to a 404 ploy.
>
>--
>Lee
>--
>
>* * Please support the community that supports you.  * *
>http://evolt.org/help_support_evolt/
>
>For unsubscribe and other options, including the Tip Harvester
>and archives of thelist go to: http://lists.evolt.org
>Workers of the Web, evolt !

_________________________________________________________________
Picture this – share your photos and you could win big!  
http://www.GETREALPhotoContest.com?ocid=TXT_TAGHM&loc=us




More information about the thelist mailing list