httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <p...@querna.org>
Subject Re: server-status and privacy
Date Wed, 23 Jun 2010 08:20:03 GMT
On Tue, Jun 22, 2010 at 6:23 PM, Nicholas Sherlock <n.sherlock@gmail.com> wrote:
> On 22/06/2010 12:40 a.m., Jim Jagielski wrote:
>>
>> There have been a few reports regarding how server-status "leaks"
>> info, mostly about our (the ASF's) open use of server-status and
>> how IP addresses are exposed.
>>
>> I'm thinking about a patch that adjusts server-status/mod_status
>> to have a "public vs. private" setting... Public would be to
>> have IP addresses exposed as public info; private would be to
>> not expose 'em (keep 'em private).
>>
>> Comments?
>
> I can't believe when I informed apache.org of this issue 70 days ago, that
> the immediate response wasn't simply to disable server-status or restrict it
> to clients from within Apache's network. It is a completely unreasonable
> violation of your customer's privacy to broadcast their IP addresses and
> viewing habits.

1) This configuration has been present on apache.org for at least 10
years, probably longer.  Maybe the rest of the internet's expectation
of IP address privacy has changed in that time, but the server-status
on apache.org has been there for a long time.

2) There is no 'apache network' to restrict access from -- the real
asf server admins are random people all over the world.

3) I'm not really sure this belongs on dev@httpd at all,
infrastructure@apache.org is likely where you want to send complaints
of this type.  A feature request to add obfuscation to mod_status
might be interesting to some, but its not really related to
apache.org's configuration.

4) How is it a "completely unreasonable violation" of privacy to show
request urls to a public website, with zero private content or
anything even remotely sensitive, and associate that with an IP
address?  IP address X was looking up how to configure Hadoop... and
that harms someone how?   We aren't a search engine, we don't host
anything that is embarrassing or private on the public server-status
pages.

Thanks,

Paul

Mime
View raw message