- From: <rep@iexist.att.com>
- Date: Fri, 28 Jul 95 09:00:11 CDT
- To: Norderhaug.CHI@xerox.com, www-talk@w3.org
Terje <Norderhaug.CHI@Xerox.com> wrote: > At 8:10 AM 7/27/95, rep@iexist.att.com wrote: > >I must be missing something because I don't see the connection between > >privacy and the client vs. server generation of a Session ID.[...] > >As long as our clients allow us to configure them not to send > >REMOTE_USER and REMOTE_IDENT, the server won't really know who we are, will > >they? > > At some point in time you might find yourself filling out personal > information in a form. With session ids accross servers it become possible > to trace your excact steps on the web by merging the entries with the same > id in the logfiles from the various services. Even more so if the id is > kept between sessions. > > -- Terje <Norderhaug.CHI@Xerox.com> > <URL:http://www.ifi.uio.no/~terjen/> Terje: Thanks for the explanation; now I think I understand the concern. But is that trace likely in practice? It assumes a) that Session IDs are unique across the entire Web (at least over the time interval of the trace), b) the server owners (who might be competing businesses) are willing to sell/share the log files, and c) it is worth enough to somebody to examine all the log files of the Web looking for Session ID correlations. It seems to me that if somebody was that interested, it would be far easier for them to buy or steal the information from my Internet Service Provider who has access (already correlated and unambiguously attributed to my PC/workstation) to every packet sent and received. Thanks again, Randy Pitt rep@iexist.att.com
Received on Friday, 28 July 1995 23:01:52 UTC