If you come across a door which has a
lock, you know that
lockpicking it is wrong, even if there's
no notice on the
door saying you
aren't meant to pick the lock.
Same here. That string is meant to be a
lock
Someone wrote that earlier in this thread. I'm glad to
see that you do not fully agree with that statement.
The URL is not a
security mechanism. Basic authorization
was baked into browsers and web servers
for that exact
reason. Basic authorization has been there since virtually
the
beginning of the WWW.
And here is one reason why. Suppose a good and trusted
friend emails you a link to a document. Your friend tells
you it's a
must-read, but omits to mention that it resides
on
a web site where he has
privileged access. You do not have
access to the site but gain access and read
the document
anyway because
the URL contains his password.
Now I think the
author of the quoted post would call you
a criminal.
Just because you failed
to
find the string 'password' in the 99 character query string.
So now your
fate depends on whether or not a prosecutor
believes your crime was intentional
or inadvertent. Good
luck. Maybe the
prosecutor will
decide that you and
your friend are engaged in a criminal
enterprise and send you both up the
river.
I'm certainly not excusing people who break into web
sites
and gain
access to sensitive information. But people who
program and own web sites need
to be held responsible, too.
[ Reply to This | Parent | # ]
|