[linux-elitists] web server software for tarpitting?

Don Marti dmarti@zgp.org
Sat Feb 23 08:59:02 PST 2008


begin kermit tensmeyer quotation of Thu, Feb 21, 2008 at 12:05:08AM +0000:

> > Making access to W3C degrade performance of poorly written software is a
> > fine way to deal with this. Such software can be trivially fixed to
> > avoid the degradation.
> > 
>    No it can't. Before "trivally fixing the software", it should be a 
> requirment to fix the standards as defined by W3C. If one defines the DTD 
> for XHTML as authortative in one (and only one) URI, then there is only 
> one logical location that can provide authortative answers.

The http:// URL implies the HTTP standard.  If the
HTTP response includes "Expires:" than the client is
allowed to rely on that response until the "Expires:"
date.

>   the solutions are to fix the standards, and then focus on allowing 
> software to match the standards. DTD validation has been around for a 
> long time. Quick fixes  will generate other problems that can be worse 
> than the problem it was intended to fix

Already fixed at the HTTP level.  Caching the
DTD until it expires is the only approach that's
consistent with both the HTTP standard and the
unwritten HTTP client rule of not being a dick to
the people who run the HTTP server.

>    Having some corporate Email Server run slower because the choice of 
> email provider software doesn't play nice, may be reasonable if and only 
> if there is an alternative that doesn't incur the penalty

Already-deployed corporate software gets fixed only
if someone with budget authority complains, or if
there's a credible legal threat.

Remember the great Wisconsin NTP DoS of 2003?
  http://pages.cs.wisc.edu/~plonka/netgear-sntp/
  http://pages.cs.wisc.edu/~plonka/netgear-sntp/#ToC44

This situation seems different because it's not one
badly designed product, but zillions of in-house
programs.  In this case, the only way I can see to
make someone complain is to slow down the software.
The developer who's ordered to make the fix wouldn't
even have to know about the policy.

It seems like the most obvious fix would be for HTTP
client libraries to cache where possible by default,
and make the programmer turn off the cache if he or
she really didn't want it.

-- 
Don Marti                    
http://zgp.org/~dmarti/
dmarti@zgp.org



More information about the linux-elitists mailing list