Passing parameters in URL
Diez B. Roggisch
deets at nospam.web.de
Thu Feb 4 04:02:06 EST 2010
> I'm not sure what you mean by that. Obviously if users want to record
> their own conversations, then I can't stop them, but that's much
> different than a non-participant in the conversation leaving a recorder
> running 24/7. Is that so hard to understand?
Is it so hard to understand that this is not about laws and rights, but
about technical properties of the HTTP-protocol?
Your web-based chat uses HTTP, no P2P-protocol, and thus the service
provider *can* log conversations. I don't say he should, I don't say I
want that, I don't say there are now laws that prevent them from doing
so, all I say is he *can*.
> I certainly didn't feel that saving or not saving client conversations
> on the server side was up to my discretion. When I found that the
> default server configuration caused conversations to be logged then I
> was appalled.
Then stop logging. Or get a hosting-provider that allows you to
configure it to strip QUERY_STRINGS from log-entries. And if they refuse
to, maybe using POST solves the issue.
But wait, there is
http://www.cyberciti.biz/faq/apache-mod_dumpio-log-post-data/
So what if they run that?
So, for the umpteenth time: data sent over the wire can be recorded.
From the user's POV, your nitpicking of who's the actual culprit - the
IT-guys, or the programmers - is fruitless. You have a nice anecdote
where switching from GET to POST allowed you to trick whoever wasn't
acting to your wishes. Good for you. But John B. and your posts indicate
that using POST is inherently more secure. It *isn't*.
> Do you think the phone company has the right to record all your phone
> calls if they feel like it (absent something like a law enforcement
> investigation)? What about coffee shops that you visit with your
> friends? It is not up to their discretion. They have a positive
> obligation to not do it. If you think they are doing it on purpose
> without your authorization, you should notify the FBI or your
> equivalent, not just "don't use it". If they find they are doing it
> inadvertently, they have to take measures to make it stop. That is the
> situation I found myself in, because of the difference in how servers
> treat GET vs. POST.
If they have a positive obligation not to do it, it doesn't matter if
they run their service over GET or POST.
Again, this is not about laws and what service providers should or must
do. It's about POST vs. GET, and if either of them is more secure or
not. It isn't.
Diez
More information about the Python-list
mailing list