httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: [PATCH 43415] Logging remote port.
Date Tue, 18 Sep 2007 13:07:06 GMT
On Tue, 18 Sep 2007 14:04:32 +0200
Adam Hasselbalch Hansen <ahh@one.com> wrote:

> You can read the entire thing in Danish here:
> 
> http://www.folketinget.dk/samling/20061/Lovforslag/L63/Bilag/7/351262.PDF

Looks more like legislation for ISPs than folks with a webserver.

> The relevant part is Section 5, which says (losely translated):
> 
> § 5. A provider of electronic communication nets or services for end 
> users must register the following information about an internet 
> session's initiating and terminating package:

The word "session" doesn't sit easily with a stateless protocol (HTTP),
and neither does the information required:
 
> 6. Time of start and end of communication.

... which tends to suggest they really do mean sessions.

I'd be sceptical about that applying to non-sessions such as
HTTP requests.

§ 5 Part 2: [user's identity & contact details].  Yeah, right.
    Part 3: [applies to mobile access]
    Part 4: [Requirements don't apply if they're not technically
             possible to meet]
So if Apache doesn't support this, you're exempt, yesno?  :-)


I was kind-of wondering whether anyone's thinking in terms
of fingerprinting botnet/malware attacks rather more than 
tracing death-threats or naughty pictures back to the last
anonymiser or zombie in their path.  If governments are 
doing that, it'll just induce botnets to randomise a
bit more, or mimic patterns of legitimate users.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Mime
View raw message