[150322] in North American Network Operators' Group
Re: DNS Attacks
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Tue Feb 21 17:29:57 2012
In-Reply-To: <CAMhuimisRngM_0si_fdWRhcxA-YOMASyzi4XHm-zOE-_uM0+2Q@mail.gmail.com>
Date: Tue, 21 Feb 2012 16:29:04 -0600
From: Jimmy Hess <mysidia@gmail.com>
To: Ken Gilmour <ken.gilmour@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, Feb 19, 2012 at 4:59 AM, Ken Gilmour <ken.gilmour@gmail.com> wrote:
> What happens when the client sends a POST from a cached page on the end
> user's machine? E.g. if they post login credentials. Of course, they'll get
> the error page, but then you have confidential data in your logs and now
> you have to protect highly confidential info, at least if you're in europe.
Either you don't log the data on the webserver, or you notify the
user that the POST form data has now been posted, and display the link
to the public web page where their posted data now appears, on the
error page.
Once your user has shared "confidential" information unsolicited with
an unknown third party, and the general public, the information's
confidentiality was spoiled by the act of posting, regardless of the
content of the information
--
-JH
