Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2008-10-05 18:53:09

Jérémie
Member
From: France
Registered: 2008-04-30
Posts: 629
Website

HTTP 401 and explanation when trying to read a private topic

http://fluxbb.org/forums/topic/1991/ext … todo-list/ gives: HTTP 200 & “Bad request. The link you followed is incorrect or outdated.”

There a wording issue (the request was not bad, it was perfectly well formed and valid; my link is both correct and up to date) of course.

But mainly, it's plain confusing for the reader. He follows a link, and oops it didn't work, his out of his mojo. He has no idea why, when, how... I think the page should explain that the topic (post, etc.) he tried to access is private and he is not authorized to read it.

And for consistency and all the cute spider bots around the world, sending a HTTP 401 would be quite nice.

Offline

#2 2008-10-05 19:32:27

Reines
Administrator
From: Scotland
Registered: 2008-05-11
Posts: 3,197
Website

Re: HTTP 401 and explanation when trying to read a private topic

Agreed.

Offline

#3 2008-10-05 20:26:46

Connor
Former Developer
Registered: 2008-04-27
Posts: 1,127

Re: HTTP 401 and explanation when trying to read a private topic

I'm not sure 401 is correct either, what if it is a bad URL?

Offline

#4 2008-10-05 21:26:02

Reines
Administrator
From: Scotland
Registered: 2008-05-11
Posts: 3,197
Website

Re: HTTP 401 and explanation when trying to read a private topic

Connor wrote:

I'm not sure 401 is correct either, what if it is a bad URL?

I think the idea was to give a different message depending on if it is actually a bad request or the person doesn't have permission, which I think makes sense. (Though I'm not sure how easy it is to implement without adding overhead)

Offline

#5 2008-10-05 22:42:55

Connor
Former Developer
Registered: 2008-04-27
Posts: 1,127

Re: HTTP 401 and explanation when trying to read a private topic

I think this has been discussed before, and there was an issue with letting the person know if the url existed or not if they didn't have permission to read it, but I may be wrong.

Offline

#6 2008-10-05 23:03:38

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: HTTP 401 and explanation when trying to read a private topic

Jérémie wrote:

http://fluxbb.org/forums/topic/1991/ext … todo-list/ gives: HTTP 200 & “Bad request. The link you followed is incorrect or outdated.”

There a wording issue (the request was not bad, it was perfectly well formed and valid; my link is both correct and up to date) of course.

But mainly, it's plain confusing for the reader. He follows a link, and oops it didn't work, his out of his mojo. He has no idea why, when, how... I think the page should explain that the topic (post, etc.) he tried to access is private and he is not authorized to read it.

No. From a security perspective, acknowledging the existence of the topic is wrong. If the user does not have permission to see a topic, forum, etc, then he/she does not have permission to know that such an item exists.

Offline

#7 2008-10-06 01:03:04

orlandu63
Member
From: New Jersey, USA
Registered: 2008-05-17
Posts: 187
Website

Re: HTTP 401 and explanation when trying to read a private topic

Smartys wrote:
Jérémie wrote:

http://fluxbb.org/forums/topic/1991/ext … todo-list/ gives: HTTP 200 & “Bad request. The link you followed is incorrect or outdated.”

There a wording issue (the request was not bad, it was perfectly well formed and valid; my link is both correct and up to date) of course.

But mainly, it's plain confusing for the reader. He follows a link, and oops it didn't work, his out of his mojo. He has no idea why, when, how... I think the page should explain that the topic (post, etc.) he tried to access is private and he is not authorized to read it.

No. From a security perspective, acknowledging the existence of the topic is wrong. If the user does not have permission to see a topic, forum, etc, then he/she does not have permission to know that such an item exists.

Either way, “Bad request. The link you followed is incorrect or outdated” is a bit vague. Maybe the error message should append extra info depending on what page you wanted to access?

Offline

#8 2008-10-06 03:29:09

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: HTTP 401 and explanation when trying to read a private topic

True. There could be another language entry for those types of situations which mentions permissions as a potential issue as well.

Offline

#9 2008-10-06 05:55:00

Jérémie
Member
From: France
Registered: 2008-04-30
Posts: 629
Website

Re: HTTP 401 and explanation when trying to read a private topic

Smartys wrote:

No. From a security perspective, acknowledging the existence of the topic is wrong. If the user does not have permission to see a topic, forum, etc, then he/she does not have permission to know that such an item exists.

I don't understand the security issue.

Topics are numbered in sequence from 1, and can be accessed by hand with that number. Apart from very specialized forum usage, it's _very_ easy to check if a topic is private or not: just enter the raw URL for that topic, see if you have access or not.

What's making a topic impossible to read? A deletion, but that's pretty rare on an average forum, like Pun or Flux (for those, less than one in a hundred? A thousand?). All the other ones are private topics.

So we already know those privates threads exists, and roughly how many there is. If you push it, one can even write a simple bot that get and parse the xml output of new threads, and count. When a topic_id is jumped (not in the feed), it's 99.999999% of the time (if the bot is fast enough) a private one.

So I don't see why a proper English and HTTP answer to that is different. It's just more user friendly.

More important, what's the big deal? How this is a security issue? It doesn't impact the auth process and robustness in any way, as far as I can see.

I can imagine a paranoid admin may want to hide the existence itself of private forums and topics, but that would require an extension that randomize topic id.

Last edited by Jérémie (2008-10-06 05:55:34)

Offline

#10 2008-10-06 09:16:06

liquidat0r
Member
From: London, England
Registered: 2008-05-22
Posts: 418
Website

Re: HTTP 401 and explanation when trying to read a private topic

What about a generic message saying that either the page doesn't exist or the user doesn't have permission to view it?

Offline

#11 2008-10-06 11:45:28

Jérémie
Member
From: France
Registered: 2008-04-30
Posts: 629
Website

Re: HTTP 401 and explanation when trying to read a private topic

That would be a basic (better than nothing, still not good) fail over if the dev are adamant about this, but I still don't understand the security issue here.

Offline

#12 2008-10-06 16:22:46

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: HTTP 401 and explanation when trying to read a private topic

Jérémie wrote:

Topics are numbered in sequence from 1, and can be accessed by hand with that number. Apart from very specialized forum usage, it's _very_ easy to check if a topic is private or not: just enter the raw URL for that topic, see if you have access or not.

No. You can't prove that the topic exists, which is the important part. It may have been deleted, it may not have been created yet, or it may be private, but you can not say with 100% certainty which it is. The idea is not specific to topics and forums but is important in general in order to prevent information from leaking.

Jérémie wrote:

So I don't see why a proper English and HTTP answer to that is different. It's just more user friendly.

Because it's intentionally ambiguous. A 401 response is improper because we are not disclosing whether or not the information exists.

Some examples of similar situations:
http://www.12robots.com/index.cfm/2008/ … y-Series-5
http://msdn.microsoft.com/en-us/library … ges_topic2
http://www.owasp.org/index.php/Testing_ … numeration

Offline

#13 2008-10-07 07:48:47

Jérémie
Member
From: France
Registered: 2008-04-30
Posts: 629
Website

Re: HTTP 401 and explanation when trying to read a private topic

I'm sorry if I'm being thick, but I still don't understand what's the security issue with letting a user know a topic is private instead of “probably private but may have been deleted”. Why is that important?

Offline

#14 2008-10-07 11:16:44

orlandu63
Member
From: New Jersey, USA
Registered: 2008-05-17
Posts: 187
Website

Re: HTTP 401 and explanation when trying to read a private topic

Jérémie wrote:

I'm sorry if I'm being thick, but I still don't understand what's the security issue with letting a user know a topic is private instead of “probably private but may have been deleted”. Why is that important?

I agree. Literally 99.9% of users would prefer more concise error messages than a single ambiguous one.

Offline

#15 2008-10-07 12:57:24

Felix
Member
Registered: 2008-05-13
Posts: 352

Re: HTTP 401 and explanation when trying to read a private topic

Well, I can see the sense, but I'm not approving it.

Another example is, when you try to login the message shows "Username or Password wrong" to prevent others finding accounts that exists.

But I think this one is rather Security through Obscurity.

Just my 2 cents tho wink

Offline

#16 2008-10-07 13:03:15

Jérémie
Member
From: France
Registered: 2008-04-30
Posts: 629
Website

Re: HTTP 401 and explanation when trying to read a private topic

Felix wrote:

Another example is, when you try to login the message shows "Username or Password wrong" to prevent others finding accounts that exists.

Indeed, that could be easily improved as well.

But I think this one is rather Security through Obscurity.

I don't think so, it's why I ask what's the issue. I'm sure the core dev are much smarter than security through obscurity, especially when the obscurity is more light reduce visibility from light rain on a sunny summer afternoon smile

Offline

#17 2008-10-09 21:10:44

Jérémie
Member
From: France
Registered: 2008-04-30
Posts: 629
Website

Re: HTTP 401 and explanation when trying to read a private topic

No one?

Offline

#18 2008-10-10 04:46:19

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: HTTP 401 and explanation when trying to read a private topic

There's nothing else to say. I've presented evidence to back up mu side, but you don't see a security issue and I do (albeit a fairly minor one in most cases). I don't think either of us are going to change our opinions, so there's nothing else to be said. wink

Offline

#19 2008-10-10 06:06:21

Anatoly
Member
From: Russia
Registered: 2008-05-12
Posts: 68
Website

Re: HTTP 401 and explanation when trying to read a private topic

Agree to Smartys, but due to

orlandu63 wrote:

Literally 99.9% of users would prefer more concise error messages than a single ambiguous one.

this may be an option or an extension that allows admin to enable the extended explanation:

Jérémie wrote:

the page should explain that the topic (post, etc.) he tried to access is private and he is not authorized to read it

But the stronger security should be chosen as default forum behavior.


Carpe diem

Offline

#20 2008-10-10 12:52:58

xable
Member
Registered: 2008-05-13
Posts: 145

Re: HTTP 401 and explanation when trying to read a private topic

This isn`t a case of securing the server from being hacked, it`s about how secretive the admin want`s to be about the information posted on the forums.

I think this is a option which is needed based on admins preferance and/or the type of forum concerned. Most people won`t need this level of secrecy or paranoia if you like, as such the majority should be catered for in the core and the minority by an extension which could be more geareded towards the higher level of privacy.

Offline

#21 2008-10-10 15:39:47

Jérémie
Member
From: France
Registered: 2008-04-30
Posts: 629
Website

Re: HTTP 401 and explanation when trying to read a private topic

Beside the feature itself, I still don't understand the security value itself about this obfuscation.

Offline

#22 2008-10-10 16:17:00

Connor
Former Developer
Registered: 2008-04-27
Posts: 1,127

Re: HTTP 401 and explanation when trying to read a private topic

tbh, would anyone benefit from a 401 error rather than a 404 error? I doubt it. A 404 error and a slightly nicer error message would solve the problem imo.

Offline

#23 2008-10-10 17:22:22

Reines
Administrator
From: Scotland
Registered: 2008-05-11
Posts: 3,197
Website

Re: HTTP 401 and explanation when trying to read a private topic

Connor wrote:

tbh, would anyone benefit from a 401 error rather than a 404 error? I doubt it. A 404 error and a slightly nicer error message would solve the problem imo.

People who aren't logged in that assume the link is dead rather than requiring to sign in would probably benefit from it, though again that could probably be fixed by making a slightly nicer message.

Offline

#24 2008-10-10 18:55:53

xable
Member
Registered: 2008-05-13
Posts: 145

Re: HTTP 401 and explanation when trying to read a private topic

yep appropriate and more informative messages would do it. They can then be dumbed down with an extention for anyone who needs that.

Offline

#25 2008-10-10 19:10:45

Connor
Former Developer
Registered: 2008-04-27
Posts: 1,127

Re: HTTP 401 and explanation when trying to read a private topic

Reines wrote:
Connor wrote:

tbh, would anyone benefit from a 401 error rather than a 404 error? I doubt it. A 404 error and a slightly nicer error message would solve the problem imo.

People who aren't logged in that assume the link is dead rather than requiring to sign in would probably benefit from it, though again that could probably be fixed by making a slightly nicer message.

How many users know what a 401 error means?

Offline

Board footer

Powered by FluxBB