HTTP error code 451: "Unavailable For Legal Reasons"

Filed Under: Featured, Web Browsers

You're probably familiar with the number 404.

It's the return code you get when you try to access a web page that doesn't exist.

Websites are allowed to customise the message that accompanies a "page not found" error, though most of them keep the well-recognised text "404" in there somewhere.

On Naked Security, for instance, you'll see our robot mascot looking dejectedly at the digits 4-0-4 lying on the floor amidst the bits that were left over last time you tried to overhaul the washing machine by yourself.

What you might not realise is that every web page (more precisely, every HTTP response) comes with a three-digit return code.

The most common one is "200", which means, very simply, "OK," and is at the start of almost every successfully-served web request, something like this:

HTTP/1.0 200 OK
Content-Type: text/html

<html>
<body><h1>Hello!</body>
<html>

The codes are grouped numerically in hundreds: the 100s are informational; 200s for success; 300s for redirections; 400s for errors reported to the client; and the 500s for problems encountered by the server.

Codes you might have experienced, even though the numeric values might not have been shown, include:

  • 301 Moved Permanently: to redirect your browser.
  • 401 Unauthorized: you need to to login somehow.
  • 403 Forbidden: and logging in won't help.
  • 404 Not Found: the page wasn't there.
  • 450 Blocked by Parental Controls: a Microsoft extension.
  • 500 Internal Server error: oops, something broke.

There's also 418 I'm a Teapot.

That's an official internet standard, proposed in 1998 as an April Fools' joke.

(In RFC jargon, a web server that controls a teapot SHOULD give this response if ever it receives a request related to the brewing of coffee. The resulting entity body MAY be short and stout.)

Now, web openness advocates are proposing an addition to the 400s, namely 451 Unavailable For Legal Reasons.

This one isn't an joke.

The idea is to provide more useful information than 403 Forbidden, which is what many servers return these days when they overtly block access to comply with a court order.

At first blush, this sounds like something of a hactivistic maneouvre, since 451 error pages would be quite handy for proselytising an less-censored and less-regulated web.

Indeed, opponents of the plan might presume just that, since the proposed standard urges openness:

Responses using this status code SHOULD include an explanation, in the response body, of the details of the legal demand: the party making it, the applicable legislation or regulation, and what classes of person and resource it applies to.

The proposal even gives a Pythonic example:

HTTP/1.1 451 Unavailable For Legal Reasons
Content-Type: text/html

<html>
<head>
<title>Unavailable For Legal Reasons</title>
</head>
<body>
<h1>Unavailable For Legal Reasons</h1>
<p>This request may not be serviced in the 
Roman Province of Judea due to the Lex Julia 
Majestatis, which disallows access to resources 
hosted on servers deemed to be operated by the 
People's Front of Judea.</p>
</body>
</html>

Actually, even if you are a big fan of censorship and governmental control over the internet, you might want to support this proposal.

As I've mentioned before, one of the problems of trying to "fix" inappropriate content online by deliberately breaking access to it is that it becomes really hard to troubleshoot when things go wrong:

An open internet is dangerous. We all need to accept that. But a closed internet – especially one in which allegedly dangerous sites are made to vanish by secret government magic, in a manner which is technically opaque even to law-abiding users – doesn't help us to equip ourselves and our children to confront and to defeat that danger.

Of course, even if Resolution 451 passes, a regulatory body could still bypass it by issuing a court order specifying not only that a page should be blocked, but also which HTTP return code should be used.

But adding a bit of transparency into legally-mandated internet opacity would, surely, still be a good thing?

By the way, you might assume that 451 was chosen because it's the next unused code after Microsoft's not entirely unrelated "parental control" error code.

That might be so, but the number actually comes from the late, great Ray Bradbury's novel Fahrenheit 451, a story in which books are banned and firemen are employed to start conflagrations, not to put them out, in order to destroy illegally-kept books.

So there is still a sense of "teapot humour", albeit an ironic one, in the RFC-writing community.

PS. The name Fahrenheit 451 comes from what Bradbury considered to be the nominal temperature at which paper burns. And, yes, it is a book. The film of the same name came later.

, , , , , , ,

You might like

3 Responses to HTTP error code 451: "Unavailable For Legal Reasons"

  1. Last month, Gawker popped up an "error 451" for UK readers after they published something rather scandalous about Rebekah Brooks and the Murdoch family that possibly could get them in legal trouble.
    http://grahamcluley.com/2013/07/freedom-of-speech...

  2. Alex · 378 days ago

    Sorry, but IETF published "error 451" in nearly two years ago, so this wasn't really that surprising.

    • Paul Ducklin · 378 days ago

      The thing is, the IETF *hasn't* published this as a standard - it's still only Tim Bray's draft (linked to above) that is "on the books."

      What's surprising - OK, perhaps it's more interesting that surprising - is that there's now an advocacy group that has very recently starting, ahhhh, advocating this whole 451 business, going by the name "451unavailable.org" (linked to above).

      Why the IETF hasn't approved 451 is unknown to me.

      So that's why I wrote the article.

      That and the chance to use some Fahrenheit 451 graphics, covering both the book and the film. Ray Bradbury, RIP.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog