[gopher] Capability files are dangerous
Kim Holviala
kim at holviala.com
Mon May 14 16:07:33 UTC 2012
On May 14, 2012, at 17:33 , Cameron Kaiser wrote:
> For most servers, caps.txt will be just another file. Only Bucktooth and
> Gophernicus generate it by pseudoselector. The server has no idea who is
> fetching caps.txt and for what purpose.
Actually.... The original poster was somewhat correct with that assumption. I can now fairly reliably determine between UMN gopher client, Overbite (the latest betas) and other gopher clients.
But still, who cares. It doesn't really matter... And I say that as a person who's got an untraceable GSM phone and an RFC shield on my wallet. I also go to different grocery stores every time I do my shopping, I pay with plain cash, and drive to work using slightly different routes every day.
In other words, I'm as paranoid as they come. In fact, I think I should be on meds... (to extrapolate, I think *everyone* who's doing gopher these days should get some pills, or life :-D )
Still, caps.txt is a complete non-issue. It offers nothing that was not already visible.
> It can even be spoofed; if you put caps.txt at the root of the filesystem,
> Bucktooth will see it and serve *that* instead, completely overriding it
> without further interpretation (it can even be verifiably incorrect). You can
> provide all or none of the properties in that file, or you can just have a
> blank file, in which case it acts as if there were no caps at all. I don't
> know how Gophernicus implements this, but it is probably similar.
In case anyone was wondering - Gophernicus does exactly the same. By default it's the autogenerated caps.txt. If you put your own file in there - then it's the file that gets served. And if you don't want anything visible, there's an option for disabling caps.txt completely.
- Kim
More information about the Gopher-Project
mailing list