Passing parameters in URL

Diez B. Roggisch deets at nospam.web.de
Thu Feb 4 01:09:04 CET 2010


Am 04.02.10 00:39, schrieb Paul Rubin:
> "Diez B. Roggisch"<deets at nospam.web.de>  writes:
>> Of course only information not gathered is really safe
>> information. But every operation that has side-effects is reproducable
>> anyway, and if e.g. your chat-app has a history, you can as well log
>> the parameters.
>
> No I can't.  The chat-app history would be on the client, not the
> server, so I'd have no access to it.  Put another way: as server
> operator, I'm like the owner of a coffee shop.  I can't stop patrons
> from recording their own conversations with each other, and it's not
> even really my business whether they do that.  But it would be
> outrageous for the shop owner to record the conversations of patrons.

Which is the exact thing that happens when you use an email-provider 
with IMAP. Or google wave. Or groups. Or facebook. Or twitter. Which I 
wouldn't call outrageous.

This discussion moves away from the original question: is there anything 
inherently less secure when using GET vs. POST. There isn't.

Users can forge both kind of requests easy enough, whoever sits in the 
middle can access both, and it's at the discretion of the service 
provider to only save what it needs to. If you don't trust it, don't use it.

Diez



More information about the Python-list mailing list