Passing parameters in URL

[Paul Rubin]

"Diez B. Roggisch" <deets at nospam.web.de> writes:
>> But it would be outrageous for the shop owner to record the
>> conversations of patrons.
>
> Which is the exact thing that happens when you use an email-provider
> with IMAP. Or google wave. Or groups. Or facebook. Or twitter. Which I
> wouldn't call outrageous.

Those are not comparable.  IMAP is a storage service, and groups,
facebook, and twitter are publishing systems (ok, I've never understood
quite what Google Wave is).  Yes, by definition, your voice mail
provider (like IMAP) has to save recordings of messages people leave
you, but that's a heck of a lot different than your phone carrier
recording your real-time conversations.  Recording live phone
conversations by a third party is called a "wiretap" and doing it
without suitable authorization can get you in a heck of a lot of
trouble.

> This discussion moves away from the original question: is there
> anything inherently less secure when using GET vs. POST. There isn't.

Well, the extra logging of GET parameters is not inherent to the
protocol, but it's an accidental side effect that server ops may have to
watch out for.

> Users can forge both kind of requests easy enough, whoever sits in the
> middle can access both, 

I'm not sure what you mean by that.  Obviously if users want to record
their own conversations, then I can't stop them, but that's much
different than a non-participant in the conversation leaving a recorder
running 24/7.  Is that so hard to understand?

Interception from the middle is addressed by SSL, though that relies on
the PKI certificate infrastructure, which while somewhat dubious, is
better than nothing.

> and it's at the discretion of the service provider to only save what
> it needs to.  If you don't trust it, don't use it.

I certainly didn't feel that saving or not saving client conversations
on the server side was up to my discretion.  When I found that the
default server configuration caused conversations to be logged then I
was appalled.

Do you think the phone company has the right to record all your phone
calls if they feel like it (absent something like a law enforcement
investigation)?  What about coffee shops that you visit with your
friends?  It is not up to their discretion.  They have a positive
obligation to not do it.  If you think they are doing it on purpose
without your authorization, you should notify the FBI or your
equivalent, not just "don't use it".  If they find they are doing it
inadvertently, they have to take measures to make it stop.  That is the
situation I found myself in, because of the difference in how servers
treat GET vs.  POST.