Re: Privacy and HTTP intermediaries

On Tue, May 03, 2011 at 02:07:58PM +0800, Thomson, Martin wrote:
> On 2011-05-03 at 15:18:40, Willy Tarreau wrote:
> > I think it'd be more efficient to remind the reader about that in the 
> > spec, so that implementers leave the choice to their users 
> > (accessibility vs privacy). Right now when I connect to Yahoo mail in 
> > clear text from some customer's, I know I'm taking a risk on my 
> > privacy but I have my access.
> > With WS it should be the same. When you connect to some services in 
> > clear text, you accept a risk.
> 
> This discussion probably needs to include a quote of the relevant, and existing, disclaimer.
> 
>       This directive is NOT a reliable or sufficient mechanism for
>       ensuring privacy.  In particular, malicious or compromised caches
>       might not recognize or obey this directive, and communications
>       networks might be vulnerable to eavesdropping.
> 
> As this disclaimer says, there's no accounting for those who choose to disrespect your wishes.  But that doesn't mean that you should suffer indignities quietly, or not even bother trying.

OK but still my point remains that cache-control is irrelevant to logging.
Cache-* is for caches only. Proxies, l7 firewalls, load balancers, WAFs,
compressors, URL filters, anti-virus, etc... all do log and will not inspect
cache-* because they are not caches (and it should remain this way).

Probably that HTTP will need some extensions to handle privacy. For instance,
a header might be used to indicate what part of the URI may be logged (eg:
max length), if the request body may be logged, and the same for response
(eg: redirects). But anyway, most of the time logging is made mandatory on
whatever information is available, for troubleshooting as well as because
of legal obligations, and the same legal obligations might for you to destroy
those logs past a certain delay.

Regards,
Willy

Received on Tuesday, 3 May 2011 06:17:28 UTC