[H-GEN] Squid addon
Ben Fowler
b1.fowler at student.qut.edu.au
Thu Apr 29 09:29:24 EDT 1999
(Note reply-to: being general at humbug.org.au vs Ben Fowler <b1.fowler at student.qut.edu.au>)
On Thu, 29 Apr 1999, Steve Thorne wrote:
> (Note reply-to: being general at humbug.org.au vs Steve Thorne <sjthorne at ozemail.com.au>)
>
> I think my point has been missed - the is an extremely high chance that
> index.html might be the same size on two different servers, as with many
> small(ish) index or image files with common names.
>
> Considering the goal of the squid addon is to decrease unnecesery
> downloading of large files, it owuld be logical to make it work something
> along the lines of -
>
:
:
> whats the chance that there will be two tarballs of exactly the same
> name and size, that wouldn't be the same file?
Non-zero. While the chances of this happening would be very small,
there could be a possibility still, of the proxy server deciding to hand
you a completely different file than what you asked for.
Now I _know_ this is a minor point, but it _is_ surprisingly important.
Hey, having a Squid addon to allow file caching across different servers
would rule, but it'd have to make sure that you're getting what you asked
for. Using name-size-500k-phase_of_moon to compare files is probably
inadequate for the task. You need something like checksums on files to
make sure user's get what they requested from the proxy.
I would argue that making the assumption that any two arbitary files of
the same size and name are exactly the same without looking at the
contents would be not good, and sometimes positively dangerous.
For example, assuming the proxy server I'm using distinguishes between
files only by name/size, and if I had nothing better to do, I could find a
file I would know would be popular (e.g. WinZip, for the sake of this
discussion), create a file exactly the same size and name, but actually
have it contain my porno collection, and somehow get the proxies to cache
it. Then every user and his dog would (think) they're downloading the
latest release of WinZip when they're getting something else entirely...
:) Of course, this dosen't _have_ to be deliberate... sometimes users may
just get spectularly unlucky.
Another example: perhaps some script kiddy wants to backdoor your machine
with BackOrifice or something? Again assuming the proxy server is only
using name/size info to compare files, and that said malicious cracker had
a modicum of intelligence and devised a scheme like the above... that's
one happy script kiddie :)
Ok, you may well be thinking that this is not likely to be a problem, but
hopefully I've pointed out that it may well be. Sometimes when designing
software, care needs to be taken that by writing this incredibly cool
software, you haven't gone and created more problems than what you're
trying to solve.
As I mentioned in an earlier post, generating checksums on the _contents_
of the files being cached by the proxy would help fix this problem.
Hrmm, it's 11:20pm. I'd better shut up and get to bed now :^)
- warmest regards,
Ben.
--
Ben Fowler, 2nd yr. BInfTech(CompSci,DataCommunications), QUT
EMAIL: ben.fowler at humbug.org.au b1.fowler at student.qut.edu.au
WEB PAGE: http://azure.humbug.org.au/~zuul/
"I used to be disgusted; now I try to be amused." -- Elvis Costello
--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.
More information about the General
mailing list