No doubt it is possible to sanitize (or change) the server-bound traffic via some proxy.
But incompetence could easily be behind this, i.e. somebody forgot to throw a compiler switch to turn these 'diagnostics' off. I could see them as very useful during testing, which would explain the lack of encryption. Whereas if the intent was to spy, or 'collect usage data', it would need to be encrypted and users would need to be informed.
Last edited by tomsem; 10-07-2014 at 05:39 PM.
|