Am 03.02.10 23:35, schrieb Paul Rubin:
"Diez B. Roggisch"<de...@nospam.web.de> writes:
If somebody happens to have access to a proxy& it's logs, he can as
well log the request body.
I'm not talking about a malicious server operator. In this situation, I
was the server operator and I didn't want to be recording the
conversations. I had to go out of my way to stop the recording. SSL
doesn't help and in fact I was using it, but web server logging happens
after the SSL layer. I suppose SSL would help against a malicious
proxy.
Well, we actually implemented POST-parameter logging (inside the
WSGI-app), because we *want* all parameters users pass. They end up in
the application anyway, and aid debugging. Of course we blind sensitive
parameters such as passwords & creditcard numbers.
Of course only information not gathered is really safe information. But
every operation that has side-effects is reproducable anyway, and if
e.g. your chat-app has a history, you can as well log the parameters.
Diez
--
http://mail.python.org/mailman/listinfo/python-list
