πΎ Archived View for rawtext.club βΊ ~sloum βΊ geminilist βΊ 001087.gmi captured on 2020-09-24 at 02:07:48. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
colecmac at protonmail.com colecmac at protonmail.com
Tue May 26 23:18:49 BST 2020
- - - - - - - - - - - - - - - - - - -
But I just don't see the need to pass this information along to
applications. What possible legitimate use could they have for it?
I use it for gemlikes, because it's just a really simple way to preventspam without having to complicate things with client certs. Clientcerts are great, but as you said, it would be a huge hassle to haveto do it for each site.
I providing the IP address is fine, and applications can use it if theywant. Trying to restrict apps from accessing it will give people a falsesense of security, I think.
makeworld
βββββββ Original Message βββββββOn Tuesday, May 26, 2020 1:59 PM, solderpunk <solderpunk at SDF.ORG> wrote:
On Mon, May 25, 2020 at 07:11:04PM -0400, Sean Conner wrote:
[b] Mandatory per RFC-3875---the more security conscience of you might
not like this, but in that case, I can recommend the value of
"127.0.0.1" or "::1"
[c] Can be the IP address, which is what I do
It's true that, as I've written in the past, I really am not a fan of
this information being passed along for privacy reasons. Yes, of
course, I know full well that the server itself already knows your IP
address, by necessity. I am totally fine with admins logging that
information for the sake of debugging or abuse prevention.
But I just don't see the need to pass this information along to
applications. What possible legitimate use could they have for it? If
they want to recognise consecutive requests from the same user so they
can maintain state server side, well, that's what client certificates
are for. The application can request one, instead of relying on the IP
address, which won't work well anyway if somebody is using a popular VPN
exit node. The only other thing I can think of which is potentially
even vaguely legimiate is geolocation so the app can e.g. serve a
suitable translated interface. But even that's iffy in my mind because
geolocation is so terribly unreliable in this day and age because so
many people habitually use VPNs and may not be where they appear to be.
I know this field is mandatory in RFC-3875 - what is the scope of that
RFC with respect to protocols? Does it only talk about HTTP or is it
supposed to be more general?
Cheers,
Solderpunk