Ignore:
Timestamp:
Mar 12, 2012, 1:19:08 AM (8 years ago)
Author:
fielding@…
Message:

clean up some of the nonsense in security considerations

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p1-messaging.xml

    r1586 r1588  
    37063706   A server is in the position to save personal data about a user's
    37073707   requests which might identify their reading patterns or subjects of
    3708    interest. This information is clearly confidential in nature and its
    3709    handling can be constrained by law in certain countries. People using
    3710    HTTP to provide data are responsible for ensuring that
    3711    such material is not distributed without the permission of any
    3712    individuals that are identifiable by the published results.
     3708   interest.  In particular, log information gathered at an intermediary
     3709   often contains a history of user agent interaction, across a multitude
     3710   of sites, that can be traced to individual users.
     3711</t>
     3712<t>
     3713   HTTP log information is confidential in nature; its handling is often
     3714   constrained by laws and regulations.  Log information needs to be securely
     3715   stored and appropriate guidelines followed for its analysis.
     3716   Anonymization of personal information within individual entries helps,
     3717   but is generally not sufficient to prevent real log traces from being
     3718   re-identified based on correlation with other access characteristics.
     3719   As such, access traces that are keyed to a specific client should not
     3720   be published even if the key is pseudonymous.
     3721</t>
     3722<t>
     3723   To minimize the risk of theft or accidental publication, log information
     3724   should be purged of personally identifiable information, including
     3725   user identifiers, IP addresses, and user-provided query parameters,
     3726   as soon as that information is no longer necessary to support operational
     3727   needs for security, auditing, or fraud control.
    37133728</t>
    37143729</section>
     
    37453760</section>
    37463761
    3747 <section title="Proxies and Caching" anchor="attack.proxies">
    3748 <t>
    3749    By their very nature, HTTP proxies are men-in-the-middle, and
     3762<section title="Intermediaries and Caching" anchor="attack.intermediaries">
     3763<t>
     3764   By their very nature, HTTP intermediaries are men-in-the-middle, and
    37503765   represent an opportunity for man-in-the-middle attacks. Compromise of
    3751    the systems on which the proxies run can result in serious security
    3752    and privacy problems. Proxies have access to security-related
     3766   the systems on which the intermediaries run can result in serious security
     3767   and privacy problems. Intermediaries have access to security-related
    37533768   information, personal information about individual users and
    37543769   organizations, and proprietary information belonging to users and
    3755    content providers. A compromised proxy, or a proxy implemented or
    3756    configured without regard to security and privacy considerations,
    3757    might be used in the commission of a wide range of potential attacks.
    3758 </t>
    3759 <t>
    3760    Proxy operators need to protect the systems on which proxies run as
    3761    they would protect any system that contains or transports sensitive
    3762    information. In particular, log information gathered at proxies often
    3763    contains highly sensitive personal information, and/or information
    3764    about organizations. Log information needs to be carefully guarded, and
    3765    appropriate guidelines for use need to be developed and followed.
    3766    (<xref target="abuse.of.server.log.information"/>).
    3767 </t>
    3768 <t>
    3769    Proxy implementors need to consider the privacy and security
     3770   content providers. A compromised intermediary, or an intermediary
     3771   implemented or configured without regard to security and privacy
     3772   considerations, might be used in the commission of a wide range of
     3773   potential attacks.
     3774</t>
     3775<t>
     3776   Intermediaries that contain a shared cache are especially vulnerable
     3777   to cache poisoning attacks.
     3778</t>
     3779<t>
     3780   Implementors need to consider the privacy and security
    37703781   implications of their design and coding decisions, and of the
    3771    configuration options they provide to proxy operators (especially the
     3782   configuration options they provide to operators (especially the
    37723783   default configuration).
    37733784</t>
    37743785<t>
    3775    Users of a proxy need to be aware that proxies are no more trustworthy than
     3786   Users need to be aware that intermediaries are no more trustworthy than
    37763787   the people who run them; HTTP itself cannot solve this problem.
    37773788</t>
     
    38073818   phrases, header field-names, and body chunks) &SHOULD; be limited by
    38083819   implementations carefully, so as to not impede interoperability.
    3809 </t>
    3810 </section>
    3811 
    3812 <section title="Denial of Service Attacks on Proxies" anchor="attack.DoS">
    3813 <t>
    3814    They exist. They are hard to defend against. Research continues.
    3815    Beware.
    38163820</t>
    38173821</section>
Note: See TracChangeset for help on using the changeset viewer.