​+1 ​
Sounds like a perfect solution
​ 👍​

Med venlig hilsen / Best regards
Emil Stahl

On Mon, Nov 16, 2015 at 9:35 AM, Gil Bahat <[email protected]> wrote:

> Hi,
>
> We are interested (like many others, I guess) in the ability to perform
> HTTP measurements at our own non-anchored network. Understanding the
> potential for abuse, I would like to suggest the following authentication
> protocol, which is based on best practices exhibited by other services with
> such potential (abuse or privacy implications).
>
> 1. Confirm control of the domain registration:
> * This is usually done by mailing the technical contact for the relevant
> WHOIS entry with a confirmation email containing a unique hash, thus
> validating ownership.
>
> 2. Confirm control of the DNS servers:
> * This is usually done by editing the root TXT record with a unique hash
> or publishing a CNAME with unique hash.
>
> 3. Confirm control of the Web servers:
> * This is usually done by placing a uniquely-hashed file in the webserver
> root directory, a unique hash in the meta-tags for the index html file or a
> unique value in a file such as robots.txt.
>
> I believe this protocol is sufficient to ensure that a web site owner
> agrees to the implications of allowing free HTTP measurements against their
> servers and that no unwilling server will ever be probed. At most during
> the protocol, the only resource that can be hit is a static file or
> robots.txt specifically, which has very little capability to overwhelm a
> web server, especially if negative responses are cached for a considerable
> amount of time / validation is done via a few nodes and propagated across
> the network.
>
> thoughts/ideas welcome.
>
> Regards,
>
> Gil Bahat,
> DevOps Engineer,
> Magisto Ltd.
>

Reply via email to