On Tue, Feb 16, 2010 at 12:27:44PM +0100, Per-Olov Sj?holm wrote: > > On 16 feb 2010, at 12.07, Bret S. Lambert wrote: > > > On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote: > >> See my post to Peter H. You obviously have not worked with security > > > > Why? Because I'm unwilling to endorse your preferred approach? > > > >> and the tradeoffs you _always_ have to make. > > > > Yes, you make tradeoffs, but you're asking for obscurity, not security. > > It's a very important distinction to make, which you don't seem to be > > doing. > > > >> If you don't have anything to come up with, don't bother to post. > > > > Okay, I'll bite: > > > > You're trying to solve this at the wrong layer. > > > > You're trying to use IP obfuscation. > > > > You should be looking for HTTP authentication instead. > > > There is no authentication available in most RSS clients.
No, but web servers don't run on crippled os'es (for certain values of "crippled"), and are able to do thing with URLs that level3 things can't. Floor had a good suggestion about adding something to the URL which would then be acted upon by the RSS feed server to determine if the feed should be served. Since the solution you propose is no less secure, just require that a "?user=NOTABOT" or some such be appended. You're still looking at the wrong layer to solve this problem. > If it was, i would of course prefer or at least consider that. You haven't looked at this problem hard enough, then. > I am not that stupid you know. Why, oh why, dear lord, do you tempt me with such softballs?
