💾 Archived View for rawtext.club › ~sloum › geminilist › 001067.gmi captured on 2020-09-24 at 02:08:39. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
solderpunk solderpunk at SDF.ORG
Tue May 26 18:59:08 BST 2020
- - - - - - - - - - - - - - - - - - -
On Mon, May 25, 2020 at 07:11:04PM -0400, Sean Conner wrote:
[b] Mandatory per RFC-3875---the more security conscience of you might
not like this, but in that case, I can recommend the value of
"127.0.0.1" or "::1"
[c] Can be the IP address, which is what I do
It's true that, as I've written in the past, I really am not a fan ofthis information being passed along for privacy reasons. Yes, ofcourse, I know full well that the server itself already knows your IPaddress, by necessity. I am totally fine with admins logging thatinformation for the sake of debugging or abuse prevention.
But I just don't see the need to pass this information along toapplications. What possible legitimate use could they have for it? Ifthey want to recognise consecutive requests from the same user so theycan maintain state server side, well, that's what client certificatesare for. The application can request one, instead of relying on the IPaddress, which won't work well anyway if somebody is using a popular VPNexit node. The only other thing I can think of which is potentiallyeven vaguely legimiate is geolocation so the app can e.g. serve asuitable translated interface. But even that's iffy in my mind becausegeolocation is so terribly unreliable in this day and age because somany people habitually use VPNs and may not be where they appear to be.
I know this field is mandatory in RFC-3875 - what is the scope of thatRFC with respect to protocols? Does it only talk about HTTP or is itsupposed to be more general?
Cheers,Solderpunk