[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [gopher] Capability files are dangerous

On 2012-05-14, Jacob Dahl Pind wrote:

> On Mon, 14 May 2012, Denis Bernard wrote:
>
>> Capability files are dangerous!
>
> this reminds me of the classical pop up with danger!! you are
> broadcasting your ip!!!11!1einself

Well, anything you do in the open is, well, an opportunity for other
people to fingerprint your acts.

Simply by doing a gopher request, CAPS or no CAPS, you're letting some
personal information out.

Of course it's never as much as HTTP's User-Agent.

>>  Up to day, any Gopher client was able to deal with any Gopher server
>> (more or less). The spirit of Gopher is to keep it as simple as
>> possible and, mainly, for retrieving files anonymously. Up to day, it
>> was impossible, for an administrator of a Gopher server, to know which
>> flavor of a Gopher client was browsing its site. The only information
>> available was from the IP address. Now, with a capability file like
>> ?caps.txt?, there is a fingerprint. Without to be paranoiac, everybody
>> heard of web sites serving contents (or refusing to serve!) according
>> the software or the system that the client have. That will happen for
>> the Gopher space too!
>
> As caps.txt is server side, I fail to how it relates to servering data
> to a client, the server has no ideer what its talking to, unlike
> useragent string in http world.

Well, I see how you could identify a client through which
CAPS-advertised features it supports.

>>  A capability file offers interesting informations about the Gopher
>> server software version that you run and its hardware. Knowing the
>> version of the capability file, the version of the software of the
>> server, it is easy to deduce how much the administrator is lazy or
>> incompetent.
<snip/>
>>  You can find, in a capability file, private informations provided
>> by its unadvised administrator like the geographical position of its
>> server. So, if somebody claims that you are serving a file under a
>> copyright that you don't hold, knowing the city where the server runs,
>> he can easily find the door of the competent justice court. If you do
>> not provide that kind of information, jurists will have to ask to the
>> Internet provider who are you according your IP address (supposing
>> your domain name is kept in anonymity). It takes time and they need to
>> have strong motivation to do that.
>
> Camerons proposal is a simple file, it doesnt magicly out of the blue
> gets the infomation , its infomation that you as an admin either have
> to enter into a file yourself, or in the case of gophernicus you can
> let it generate it automatical, again only with infomation you supply
> it.
> Descript, admin and geolocation is optional fields.
>
> But even without that geolocation field, unless you happen to run your
> server over a tor network, it aint terrible hard this days to figure
> out where in the world a ip is based.

Also, some gopher servers actually disclose what software they run on
and where they are located in their root menu.


-- 
Nuno J. Silva (aka njsg)
gopher://sdf-eu.org/1/users/njsg
http://njsg.sdf-eu.org/

_______________________________________________
Gopher-Project mailing list
Gopher-Project@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/gopher-project
Reply to: