W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: Privacy and HTTP intermediaries

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 3 May 2011 11:47:45 +1000
Cc: httpbis mailing list <ietf-http-wg@w3.org>
Message-Id: <5BE1FE5A-63DD-4468-8FAC-DC667EE3E6EF@mnot.net>
To: "Thomson, Martin" <Martin.Thomson@commscope.com>

On 03/05/2011, at 11:10 AM, Thomson, Martin wrote:

> The issue of logging HTTP requests has come up in a discussion in another working group.
> 
> The goal is not just to prevent someone from learning that a certain person requested a certain resource, but to protect the identity of the resource.  That is, the very existence of the resource is a secret.
> 
> I understand that with CONNECT an intermediary only really knows that a particular server has been contacted, but what about unsecured HTTP?  Does the value of the Cache-Control header have any bearing on whether something is logged?

Nope.

I suppose you could read Cache-Control: no-store has having those semantics, but it doesn't in any implementation I'm aware of. Perhaps we need to clarify that.

> What sort of logging does an HTTP intermediary typically do?

The Squid format is fairly common; see:
  http://wiki.squid-cache.org/SquidFaq/SquidLogs#access.log
  http://www.squid-cache.org/Doc/config/logformat/

Cheers,


--
Mark Nottingham   http://www.mnot.net/
Received on Tuesday, 3 May 2011 01:48:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:40 GMT