httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicholas Sherlock <n.sherl...@gmail.com>
Subject Re: server-status and privacy
Date Wed, 23 Jun 2010 08:48:30 GMT
On 23/06/2010 8:20 p.m., Paul Querna wrote:
> 4) How is it a "completely unreasonable violation" of privacy to show
> request urls to a public website, with zero private content or
> anything even remotely sensitive, and associate that with an IP
> address?  IP address X was looking up how to configure Hadoop... and
> that harms someone how?   We aren't a search engine, we don't host
> anything that is embarrassing or private on the public server-status
> pages.

So if an attacker sees your company researching patches for a particular 
vulnerability reported on apache.org, that wouldn't be useful to them?

I don't know what hellhole you live in where companies casually 
broadcasing your every interaction with them is considered acceptable.

Nicholas Sherlock


Mime
View raw message