HTTP 401 and explanation when trying to read a private topic (Page 2 of 2)

My point is, changing the message solves the problem, whether we send a 404 or a 401 is pretty much irrelevant to most users, and sending a 404 is not incorrect as far as I can tell, but sending a 401 is bad security practise, and gives no benefit as far as I can see.

I thought the problem was that disclosing the fact the post exists is bad security practice (whether it be by sending a 401 or displaying a message saying so). I don't see how disclosing the fact a post exists by sending a 401 is any worse security wise than sending an easy to read message saying the same thing.

I am not saying sending a 401 is appropriate, just that I don't see how sending different messages but the same code solves the security issue Smartys brought up. (Also personally I don't think it is much of a security issue, where's the harm in knowing it exists?)

First, I should have re-read the RFC, and not Wikipedia summary. Yes, 401 isn't relevant because of the http auth, 403 is the right one.

Next:

HTTP error are mostly not for humans, but for machines: search engine's spider, but it could be wget, a Firefox extension, whatever; we don't know all the current tools available, and we certainly don't know what the future holds. That's the point of sticking to protocol, it allow other people to do smart thing with that protocol we didn't think about in the first place.

The RFC got it right to the point:

We are back to the issue of: does FluxBB doesn't handle all errors the same, does it acknowledge that an unknown URL isn't the same as one the user isn't allow to see.

I do think it's important that Flux doesn't handle all error the same. When the average user follow a link and is sent an error in the face, the software should explain the error the best way it can, and help the user correct it. Basically, it should be user friendly.

And as already pointed, if Flux explain in plain English that X is a private topic the user isn't allowed to read at the present time, and that Y is a URL it doesn't understand and maybe the user should use the Search engine to find whatever he was looking for (and it both should); then I don't understand what possible reason could there be for not sending the appropriate HTTP error code header so that machines can understand the same thing.

Although, I agree the most important point (and by far) is the plain English explanation.

Apart from the bug/feature itself, I'm still curious about the security issues people talk about. I'm sorry to be thick, but I can't imagine what the security related topic might be in this area.

I see two, at the first glance:

- it doesn't help the user, at all. I browse through acme.com and follow a link explaining why Acme Gizmo is the best alive. If all I get is an error message saying: “ok the page you asked, well, I don't have it; or maybe I have it but I won't give it to you; or maybe my database is down; or maybe I've been taken over by aliens and they're after you” I won't bother with anything. I'll close the tab, I'll close the original Acme tab, and will move to the next point of order of my day.
It would be marginally better than the “thing” we currently have, but it's still confusing the user on purpose. We have the information, why not explain it to the user?

- for a less average web user, I think they may (and we can't blame them) take it as a personal insult. They know the server has the damn data, they can easily check if the topic is either private or has existed and being deleted, or if the link if bogus altogether. Why make the user life more difficult on purpose?

Erh... unless I'm blind, no he didn't.

And none of his links pointed to a similar issue, as far as I can see.

It's all relative to authentication. The general idea is, login is half the auth, if you give away the existence of a login, you're screw. I mostly disagree with this (the whole user list of any FluxBB forum is public, and security through obfuscation slightly delay the break in, but significantly delay the security solving) but that's not even the issue here.

We're not asking (yet ) about the auth, we're asking the software to qualify the server errors, in other words to disclose the existence of _content_.

What's the security issue with content? What can someone possibly do when he knows 100% a specific content exist? Especially when he knew for 99.9% certainty before that?

To take a sentence off Smartys quote, “The idea is not specific to topics and forums but is important in general in order to prevent information from leaking”: but as admin we want to propagate information! That's the whole point of a forum software, isn't it?

Again, what would be a scenario where a hacker can do something evil with knowing 100% that the topic n is private? I just don't understand that.

Except the two first word, that's probably fine _if_ there's another message for a “real” 404.

To take a practical example: if this is what you want to return when we try to access http://fluxbb.org/forums/topic/1991/, and you'll return “sorry this URL doesn't exist” (or something) for http://fluxbb.org/forums/topic/acme/ that's ok.

The “may” in your sentence is strange, but whatever.

One thing at a time, that was next in my pipe

I don't think it's the same at all (admitting that the auth thing is right, which it's not here, but let's take it one thing at a time ).

I understand the generalization, the global idea of “you shouldn't know that” generalized to everything. It's a nice theorem... in theory. But it's wrong, and private topic is a great counter example.

You say there's no issue, security or otherwise, letting the user know a topic is private. So you apply a global theoretical theorem to your decision making, and ending up confusing the average user for no reasons.

You don't see the benefit for the end user to have a distinct error message for an unknown URL and a private topic?

Can I rephrase my bug fix (or feature modification, or whatever) to: give the user permission to have this, then?

My question was more: Can you? Can any of the core dev? Can anyone on the web? At all?

Again I'm talking about this very specific subject: disclosing the private versus "doesn't exist" status of a FluxBB URL.

By the way, if I try to get into Fluxbb.org admin panel, I get: “You do not have permission to access this page.” Why here I got a clear error message, and not for a private topic?