RE: Privacy and HTTP intermediaries

On 2011-05-03 at 15:18:40, Willy Tarreau wrote:
> I think it'd be more efficient to remind the reader about that in the 
> spec, so that implementers leave the choice to their users 
> (accessibility vs privacy). Right now when I connect to Yahoo mail in 
> clear text from some customer's, I know I'm taking a risk on my 
> privacy but I have my access.
> With WS it should be the same. When you connect to some services in 
> clear text, you accept a risk.

This discussion probably needs to include a quote of the relevant, and existing, disclaimer.

      This directive is NOT a reliable or sufficient mechanism for
      ensuring privacy.  In particular, malicious or compromised caches
      might not recognize or obey this directive, and communications
      networks might be vulnerable to eavesdropping.

As this disclaimer says, there's no accounting for those who choose to disrespect your wishes.  But that doesn't mean that you should suffer indignities quietly, or not even bother trying.

I think that a quick skim of might be enlightening for those who aren't aware of some of the more advanced privacy work currently going on.


Received on Tuesday, 3 May 2011 06:08:30 UTC