>>>>> "ST" == Stephen Turner <[email protected]> writes:

ST> I am the upstream author. I tend to feel that the fault is in the
ST> browser for retaining sensitive information in the referrer. But in
ST> any case, you can use analog's REFALIAS command to modify the
ST> referrer and remove the information.

Such password containing URLs can and have appeared in any section of
the Analog report where URLs appear, not just referral sections.

All they have to do is somehow appear in the Apache etc. logs, thus the
browsers, which we have no control of anyway, are not always to blame.

One could say that Apache is to blame for putting them into logs, but
it is only reporting what URL failed that day (though it worked the next...)
and those logs are in a secure area (at least on Dreamhost, where one
person can see them vs. Analog reports that a team can see, though yes,
not the whole world.)

Anyway, my main point is the Analog configuration is very often highly
restricted by ISPs in what one can adjust. And only a few items can be
changed, and only through a "panel".

Therefore zapping such sensitive parts of URLs should be the new Analog
default, and passing them through unscathed should be a configuration
item, default zap=yes.

So the should look like http://[username:[email protected]/bla instead of
the actual details. The href should just be example.com/bla .



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to