Passing parameters in URL
Diez B. Roggisch
deets at nospam.web.de
Wed Feb 3 19:09:04 EST 2010
Am 04.02.10 00:39, schrieb Paul Rubin:
> "Diez B. Roggisch"<deets at nospam.web.de> writes:
>> Of course only information not gathered is really safe
>> information. But every operation that has side-effects is reproducable
>> anyway, and if e.g. your chat-app has a history, you can as well log
>> the parameters.
>
> No I can't. The chat-app history would be on the client, not the
> server, so I'd have no access to it. Put another way: as server
> operator, I'm like the owner of a coffee shop. I can't stop patrons
> from recording their own conversations with each other, and it's not
> even really my business whether they do that. But it would be
> outrageous for the shop owner to record the conversations of patrons.
Which is the exact thing that happens when you use an email-provider
with IMAP. Or google wave. Or groups. Or facebook. Or twitter. Which I
wouldn't call outrageous.
This discussion moves away from the original question: is there anything
inherently less secure when using GET vs. POST. There isn't.
Users can forge both kind of requests easy enough, whoever sits in the
middle can access both, and it's at the discretion of the service
provider to only save what it needs to. If you don't trust it, don't use it.
Diez
More information about the Python-list
mailing list