Hacker News new | ask | show | jobs
by bo1024 607 days ago
Not following what could be sinister about a GET request to a public website.

> From a privacy POV, your VPN is doing nothing to them, because your IP address means very little to them from a tracking POV.

I disagree. (1) Since I have javascript disabled, IP address is generally their next best thing to go on. (2) I don't want to give them IP address to correlate with the other data they have on me, because if they sell that data, now someone else who only has my IP address suddenly can get a bunch of other stuff with it too.
2 comments
hombre_fatal 606 days ago
At the very least, they're wasting bandwidth to a (likely) low quality connection.

But anyone making malicious POST requests, like spamming chatGPT comments, first makes GET requests to load the submission and find comments to reply to. If they think you're a low quality user, I don't see why they'd bother just locking down POSTs.

link
zahllos 607 days ago
SQL injection?

Get parameters can be abused like any parameter. This could be sql, could be directory traversal attempts, brute force username attempts, you name it.

link
kam 606 days ago
If your site is vulnerable to SQL injection, you need to fix that, not pretend Cloudflare will save you.
link
zahllos 606 days ago
Obviously. But I was responding to "what is sinister about a GET request". To put it a slightly different way, it does not matter so much whether the request is a read or a write. For example DNS amplfication attacks work by asking a DNS server (read) for a much larger record than the request packet requires, and faking the request IP to match the victim. That's not even a connection the victim initiated, but that packet still travels along the network path. In fact, if it crashes a switch or something along the way, that's just as good from the point of view of the attacker, maybe even better as it will have more impact.

I am absolutely not a fan of all these "are you human?" checks at all, doubly so when ad-blockers trigger them. I think there are very legitimate reasons for wanting to access certain sites without being tracked - anything related to health is an example.

Maybe I should have made a more substantive comment, but I don't believe this is as simple a problem as reducing it to request types.

link