"Diez B. Roggisch" <de...@nospam.web.de> writes: >> But it would be outrageous for the shop owner to record the >> conversations of patrons. > > Which is the exact thing that happens when you use an email-provider > with IMAP. Or google wave. Or groups. Or facebook. Or twitter. Which I > wouldn't call outrageous.
Those are not comparable. IMAP is a storage service, and groups, facebook, and twitter are publishing systems (ok, I've never understood quite what Google Wave is). Yes, by definition, your voice mail provider (like IMAP) has to save recordings of messages people leave you, but that's a heck of a lot different than your phone carrier recording your real-time conversations. Recording live phone conversations by a third party is called a "wiretap" and doing it without suitable authorization can get you in a heck of a lot of trouble. > This discussion moves away from the original question: is there > anything inherently less secure when using GET vs. POST. There isn't. Well, the extra logging of GET parameters is not inherent to the protocol, but it's an accidental side effect that server ops may have to watch out for. > Users can forge both kind of requests easy enough, whoever sits in the > middle can access both, I'm not sure what you mean by that. Obviously if users want to record their own conversations, then I can't stop them, but that's much different than a non-participant in the conversation leaving a recorder running 24/7. Is that so hard to understand? Interception from the middle is addressed by SSL, though that relies on the PKI certificate infrastructure, which while somewhat dubious, is better than nothing. > and it's at the discretion of the service provider to only save what > it needs to. If you don't trust it, don't use it. I certainly didn't feel that saving or not saving client conversations on the server side was up to my discretion. When I found that the default server configuration caused conversations to be logged then I was appalled. Do you think the phone company has the right to record all your phone calls if they feel like it (absent something like a law enforcement investigation)? What about coffee shops that you visit with your friends? It is not up to their discretion. They have a positive obligation to not do it. If you think they are doing it on purpose without your authorization, you should notify the FBI or your equivalent, not just "don't use it". If they find they are doing it inadvertently, they have to take measures to make it stop. That is the situation I found myself in, because of the difference in how servers treat GET vs. POST. -- http://mail.python.org/mailman/listinfo/python-list
