You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/01/26 10:51:31 UTC
[Bug 64099] New: Support for HTTP server police investigations
https://bz.apache.org/bugzilla/show_bug.cgi?id=64099
Bug ID: 64099
Summary: Support for HTTP server police investigations
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: All
Assignee: bugs@httpd.apache.org
Reporter: tapika@yahoo.com
Target Milestone: ---
Use cases:
1. HTTP server is being used for scam / non-existent companies to fraud people
- Non existent money investments, other mechanism to cheat people
2. HTTP server is being used by terrorists to advertise their viewpoint
Problematics related to HTTP server investigation:
- Person, who get frauded, located in one country (E.g. Finland)
- HTTP Server or HTTP hosting service is located in another contry (E.g. US)
- People behind fraud might be located in 3rd contry.
To get to person, who performs fraud, need to have tight cooperation between
police
offices.
- If invested money is not big, police does not consider even
to investigate that particular case.
It should be possible to simplify police work, so locating people behind fraud
would be easier and simpler.
This is also question about whether there should be some sort of international
police (organizational changes), but I think more important that http server is
able to have technical capability to perform police investigation.
http server by default logs all transactions into local server logs, meanwhile
there should be some sort of elevated authority access (e.g. police,
international police, crime investigator, fraud investigator) - in this case
elevated authority should be
able to get full access to server without anything being logged into local
server logs.
Log could be centralized - e.g. Finnish police might have it's own log server,
where
all elevated access would be recorded.
Elevated authority / police officer should be able to get all access to http
server,
including http logs, http configuration, login information, web site files,
maybe
also local databases.
There is always a risk that access will be gained by someone, who is not police
officer or elevated authority (hacker, etc) - that's why authorized access
logging needs to have it's own means to perform "internal investigations".
I by myself haven't got into fraud situation, but one of my family relatives
did,
but I will not disclose any further details on this, just to keep information
confidential.
I'm also not working for police and don't have any means to speed up or support
police investigation - but to my best understanding police offices can
influence or support this requirement.
For my own case, I would prefer that you would contact Finnish police so they
can list more strict requirements on this ticket, but as I see it - all http
servers in future might get covered by this requirement via local laws,
obligating software requirements.
You can also contact your own local police, where http developers live and
collect requirements from them.
If anyone from police offices supports this requirement, please add your
comments here - otherwise the need of this requirement is not so clear and
development team would not be able to commit to it.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64099] Support for HTTP server police investigations
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64099
--- Comment #4 from Ruediger Pluem <rp...@apache.org> ---
(In reply to Jim Jagielski from comment #3)
> If this is important to you, then I suggest writing code that would allow
> this functionality and then submitting the code, in patch form, to this
> entry as an enhancement request.
Which of course people who choose to act in a criminal way would either disable
or use a different webserver product which does not have this "feature". Apart
from that forcefully recording this kind of data is controversial and probably
would violate privacy rights of people who connect to this server especially in
the EU and thus in Finland.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64099] Support for HTTP server police investigations
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64099
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--- Comment #1 from Eric Covener <co...@gmail.com> ---
> Elevated authority / police officer should be able to get all access to http server
Not through our software.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64099] Support for HTTP server police investigations
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64099
--- Comment #6 from Tarmo Pikaro <ta...@yahoo.com> ---
(In reply to Ruediger Pluem from comment #4)
> (In reply to Jim Jagielski from comment #3)
> > If this is important to you, then I suggest writing code that would allow
> > this functionality and then submitting the code, in patch form, to this
> > entry as an enhancement request.
>
> Which of course people who choose to act in a criminal way would either
> disable or use a different webserver product which does not have this
> "feature".
That is true, but also depends what people use from web server.
I see that if functionality itself is integrated in apache http server,
it would cover current 41.3%
(https://w3techs.com/technologies/history_overview/web_server)
of all http servers.
I can raise similar kind of requirements to other servers as well.
I think eventually local country laws could enforce this to be present in all
http servers eventually.
> Apart from that forcefully recording this kind of data is
> controversial and probably would violate privacy rights of people who
> connect to this server especially in the EU and thus in Finland.
Data does not needs to be recorded - elevated privilege person / police could
get access to server on demand / when required. Of course server administrator
always can configure to disable server logging, or disable server logging from
certain ip addresses - but if we could start from simple use cases and
advancing to more complex.
Bit more question about practical approach. Does Apache http server knows in
which country it resides in or can query it's master domain via some mechanism
/ means ?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64099] Support for HTTP server police investigations
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64099
--- Comment #2 from Tarmo Pikaro <ta...@yahoo.com> ---
> Not through our software.
Can you elaborate this bit more ?
Basically your answer can be interpreted as "too much work, and we are not
going to invest so much money into this change", or it can be also interpreted
as "we don't care about people, who fraud" or "we don't care about which
terrorists use our tools - let them use it as much as they want".
With "too much" work, I suspect that partially this could be also done by
police department, as we invest our own money through taxes, or invested
partially or fully founded by government or even governments.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64099] Support for HTTP server police investigations
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64099
--- Comment #3 from Jim Jagielski <ji...@apache.org> ---
If this is important to you, then I suggest writing code that would allow this
functionality and then submitting the code, in patch form, to this entry as an
enhancement request.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64099] Support for HTTP server police investigations
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64099
--- Comment #5 from Tarmo Pikaro <ta...@yahoo.com> ---
(In reply to Jim Jagielski from comment #3)
> If this is important to you, then I suggest writing code that would allow
> this functionality and then submitting the code, in patch form, to this
> entry as an enhancement request.
I'm developer by myself, so could consider this. Let's imagine I'll create this
functionality, integrate and properly test. Will you include this into http
apache base server, to be de-facto standard distribution ?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org