>And having read and written this particular audit line item about 29074894389734897 times in the last 15 years, let me assure you that logging is clearly an issue. Which is what I said. Logging sensitive info is an…
Unfortunately, very little is required to be HTTP compliant. It is almost all SHOULDs and SHOULD NOTs, and is full of vagueness. Here's a quick discussion of how bad the HTTP spec is for being strict and easy to…
Now read it. Notice how it is all "SHOULD" and "SHOULD NOT". You can do whatever you want and still be HTTP compliant. Using practices that are not recommended is not the same as being non-compliant.
No, I wouldn't be 99.994% sure of that at all. In fact, I would assume that if they are suggesting that people use GET, that they are in fact not logging the query params, as any security audit would catch that. And…
Actually, we ding you for putting sensitive information in URLs that are used in a browser. The reason is that it will then be sent to other sites in the referrer header. When it is used for an API it doesn't matter. A…
Would you care to point out where in the HTTP RFCs it requires the use of certain methods for certain operations? The reality is, you can do whatever you like as far as HTTP is concerned. In fact, only GET and HEAD are…
You are very confused. SSL is used to encrypt transmission between the browser and web server. Of course the web server decrypts the data it receives, otherwise it wouldn't be able to use it. I am saying you can not…
I addressed why what gets in logs doesn't matter: if their server is compromised you have to assume you are boned anyways. And I don't understand why is your comment would be talking about "HTTP-GET"? The API in…
I'm not saying it is a nice API, or that it is in any way a REST API. Just that unless I am missing something, it is HTTP compliant.
>If you're using SSL then form data in a POST request will be encrypted So will everything else, including the URI being requested, and thus the query string in it. Which is why it makes no difference using GET or…
Custom headers do not REQUIRE a prefix. So the lack of prefix does not make it non-compliant. In fact, the HTTP RFC doesn't even say they SHOULD have a prefix. And RFC822 which defines headers only says that protocol…
You have no way of knowing what they log and don't log. If their server logs are compromised, you should be assuming their username/password database was as well. And HTTPS requests are encrypted. The whole request,…
In what way is it not compliant?
No they aren't sent plain-text: >https://subdomain.sharefile.com/rest/getAuthID.aspx Notice the https. The facepalm is just that there's no additional security in using POST vs GET.
>Free Software is not a gift Yes it is, that is what free means. Check a dictionary. >Free Software, as advocated by the FSF and many others The FSF doesn't actually get to re-define the word free to mean…
They didn't. They just tried to store data on EBS volumes, you know, like they are supposed to. But EBS performance is very bad, and incredibly variable. So they would end up getting timeouts trying to write to the…
Because of the cloud fad. People have always made bad IT decisions based on the flavor of the month. They still do.
>And having read and written this particular audit line item about 29074894389734897 times in the last 15 years, let me assure you that logging is clearly an issue. Which is what I said. Logging sensitive info is an…
Unfortunately, very little is required to be HTTP compliant. It is almost all SHOULDs and SHOULD NOTs, and is full of vagueness. Here's a quick discussion of how bad the HTTP spec is for being strict and easy to…
Now read it. Notice how it is all "SHOULD" and "SHOULD NOT". You can do whatever you want and still be HTTP compliant. Using practices that are not recommended is not the same as being non-compliant.
No, I wouldn't be 99.994% sure of that at all. In fact, I would assume that if they are suggesting that people use GET, that they are in fact not logging the query params, as any security audit would catch that. And…
Actually, we ding you for putting sensitive information in URLs that are used in a browser. The reason is that it will then be sent to other sites in the referrer header. When it is used for an API it doesn't matter. A…
Would you care to point out where in the HTTP RFCs it requires the use of certain methods for certain operations? The reality is, you can do whatever you like as far as HTTP is concerned. In fact, only GET and HEAD are…
You are very confused. SSL is used to encrypt transmission between the browser and web server. Of course the web server decrypts the data it receives, otherwise it wouldn't be able to use it. I am saying you can not…
I addressed why what gets in logs doesn't matter: if their server is compromised you have to assume you are boned anyways. And I don't understand why is your comment would be talking about "HTTP-GET"? The API in…
I'm not saying it is a nice API, or that it is in any way a REST API. Just that unless I am missing something, it is HTTP compliant.
>If you're using SSL then form data in a POST request will be encrypted So will everything else, including the URI being requested, and thus the query string in it. Which is why it makes no difference using GET or…
Custom headers do not REQUIRE a prefix. So the lack of prefix does not make it non-compliant. In fact, the HTTP RFC doesn't even say they SHOULD have a prefix. And RFC822 which defines headers only says that protocol…
You have no way of knowing what they log and don't log. If their server logs are compromised, you should be assuming their username/password database was as well. And HTTPS requests are encrypted. The whole request,…
In what way is it not compliant?
No they aren't sent plain-text: >https://subdomain.sharefile.com/rest/getAuthID.aspx Notice the https. The facepalm is just that there's no additional security in using POST vs GET.
>Free Software is not a gift Yes it is, that is what free means. Check a dictionary. >Free Software, as advocated by the FSF and many others The FSF doesn't actually get to re-define the word free to mean…
They didn't. They just tried to store data on EBS volumes, you know, like they are supposed to. But EBS performance is very bad, and incredibly variable. So they would end up getting timeouts trying to write to the…
Because of the cloud fad. People have always made bad IT decisions based on the flavor of the month. They still do.