There’s a piece of software out there trying to cut down on blog spam, and it behaves annoyingly badly. It’s bad in a particular way that drives me up the wall. It prevents reasonable behavior, and barely blocks bad behavior of spammers.
In particular, it stops all requests that lack an HTTP Referer: header. All requests. Not just POST to the comment CGI, which might appear to make sense. Not just POST. All requests.
There’s two problems with this. First, it assumes a static attacker, which is a poor descriptor of spammers. Second, it has high auxiliary costs.
So I wrote 28 characters of code for a spamming botnet. This assumes that there’s a variable “site” which is getting spammed, and gets inserted in the header printing block:
printf("Referer: %sn", site);
That’s it. I just broke the “Bad Behavior” plugin, because that’s what the comment link referer will look like. (If I were to put in site, path, that would be about 4 lines of code. Mostly because it’s been long enough since I’ve dealt with C string handling I’d have to look up how to split the string and drop the last component.) I’d link to it, but you know, I can’t see the site.
Incidentally, I didn’t contribute that code anywhere. It’s a thought experiment, which Bad Behavior’s author should have done years ago.
Good security design takes into account obvious next steps by attackers. It considers impacts on privacy and liberty. Missing those, security designs are at best acceptable, and at worst oppressive.
[Update: I realized I’m violating my own advice here, by saying “that’s wrong.” So let me be prescriptive: Don’t use the referer header for security. Just don’t. Don’t even try. You might try to redesign blog posting to take into account a particular blog post, but that would require breaking commenting directly from the front page of a blog.] [Update 2, added link to WMV video around ‘my own advice.]