Passing parameters in URL

Steve Holden steve at holdenweb.com
Thu Feb 4 07:14:13 EST 2010 

Paul Rubin wrote:
> "Diez B. Roggisch" <deets at nospam.web.de> writes:
>>> But it would be outrageous for the shop owner to record the
>>> conversations of patrons.
>> Which is the exact thing that happens when you use an email-provider
>> with IMAP. Or google wave. Or groups. Or facebook. Or twitter. Which I
>> wouldn't call outrageous.
> 
> Those are not comparable.  IMAP is a storage service, and groups,
> facebook, and twitter are publishing systems (ok, I've never understood
> quite what Google Wave is).  Yes, by definition, your voice mail
> provider (like IMAP) has to save recordings of messages people leave
> you, but that's a heck of a lot different than your phone carrier
> recording your real-time conversations.  Recording live phone
> conversations by a third party is called a "wiretap" and doing it
> without suitable authorization can get you in a heck of a lot of
> trouble.
> 
Unless you happen to be following the illegal instructions of the
President of the United States, in which case Congress will
retro-actively alter the law to void your offenses and provide you with
legal immunity for your wrong-doing. Assuming you are a large telephone
company and not a private individual.

>> This discussion moves away from the original question: is there
>> anything inherently less secure when using GET vs. POST. There isn't.
> 
> Well, the extra logging of GET parameters is not inherent to the
> protocol, but it's an accidental side effect that server ops may have to
> watch out for.
> 
>> Users can forge both kind of requests easy enough, whoever sits in the
>> middle can access both, 
> 
> I'm not sure what you mean by that.  Obviously if users want to record
> their own conversations, then I can't stop them, but that's much
> different than a non-participant in the conversation leaving a recorder
> running 24/7.  Is that so hard to understand?
> 
> Interception from the middle is addressed by SSL, though that relies on
> the PKI certificate infrastructure, which while somewhat dubious, is
> better than nothing.
> 
>> and it's at the discretion of the service provider to only save what
>> it needs to.  If you don't trust it, don't use it.
> 
> I certainly didn't feel that saving or not saving client conversations
> on the server side was up to my discretion.  When I found that the
> default server configuration caused conversations to be logged then I
> was appalled.
> 
> Do you think the phone company has the right to record all your phone
> calls if they feel like it (absent something like a law enforcement
> investigation)?  What about coffee shops that you visit with your
> friends?  It is not up to their discretion.  They have a positive
> obligation to not do it.  If you think they are doing it on purpose
> without your authorization, you should notify the FBI or your
> equivalent, not just "don't use it".  If they find they are doing it
> inadvertently, they have to take measures to make it stop.  That is the
> situation I found myself in, because of the difference in how servers
> treat GET vs.  POST.

A lot will depend on the terms of service of the network supply
contract. Most vendors take pains to ensure that such "innocent" logging
(i.e. the maintenance by their servers of logging information, which may
under subpoena or similar legal coercion be given up to law enforcement
authorities as "business records") is permitted. If you have signed the
contract, then they have the right to log that data.

Caveat emptor.

regards
 Steve
-- 
Steve Holden           +1 571 484 6266   +1 800 494 3119
PyCon is coming! Atlanta, Feb 2010  http://us.pycon.org/
Holden Web LLC                 http://www.holdenweb.com/
UPCOMING EVENTS:        http://holdenweb.eventbrite.com/

More information about the Python-list mailing list