- From: Willy Tarreau <w@1wt.eu>
- Date: Tue, 28 Aug 2018 10:05:49 +0200
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Mike West <mkwst@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
Hi Martin,
On Tue, Aug 28, 2018 at 05:25:24PM +1000, Martin Thomson wrote:
> But as long as those use cases align with things like
> tracking, I think that we ultimately need to consider some classes of
> breakage to be on the table.
In my opinion every hard-breakage makes the situation worse. Look at
the result of the GDPR crap : as already anticipated, it's impossible
to access any simple web site without having to click multiple "I accept
to swallow everything" buttons. It's become a real pain. Has it improved
privacy ? Surely not, it's got worse. In 3 months we've been trained to
click everywhere without thinking anymore. And worse, some sites are now
delivering a cookie to know that they asked you the question! Every time
we try to enforce solutions the hard way, we make the end user experience
even worse. Those of us who remember the web in 1999 with "this site is
best viewed with MSIE" or "site designed for 800x600" should realize how
much worse the experience has become since then, mainly over the last few
years, with alerts and ask-for-consent pop-ups everywhere.
What (in my opinion) works is raising awareness to the end user and
leaving him the choice, because in this case the sites operators have
an incentive to try to be better than the competitor in terms of UX,
instead of being forced by law to be as bad.
Some simple examples that come to my mind and which could improve the
situation already :
- when a site delivers a cookie with "too long" a duration, ask the
user if he's willing to accept it or to trim the duration to a
shorter one. Let the user configure the max duration before warning.
Sites will learn that the shorter the duration, the least number of
irritated people they have, pretty similar to the response time or
lack of HTTPS these days.
- when a tab is closed with session cookies in it, ask the user what
to do with these cookies. This way we'll train users to use the
"logout" button of the site before closing tabs, and sites to purge
cookies on logout. This is much more powerful for privacy and
confidentiality than just trying to redefine cookies.
- support a maximum duration on session cookies, and offer the choice
to the user to override it. This problem is not new, we already had
to work around it in haproxy many years ago because some mobile browsers
would stick for too long to the same server, thus we encode an expiration
date in the cookie value to force it to be ignored. It would be way better
if it could be done by the browser : it would both solve a technical
problem *and* improve privacy. I even suspect that some users will want
to have the ability to control the maximum cookie's life and idle time
by domain. By the way, in haproxy we support both idle and life time,
which allows a cookie to be dropped past a certain age, or after some
inactivity period. Typical sites using it for load balancing set the
max age to around a week and maximum inactivity to around 8-12 hours.
This can perfectly make sense for applications as well.
- add the ability for server-side equipments to purge *all* cookies
for the same domain ; right now it's extremely complicated for an
edge component to emit a response asking to purge all cookies upon
a logout page, while I think the browser easily knows all of them.
Thus if the front load balancer could detect the logout page and emit
a "set-cookie: *=" or something like this to mention that all known
cookies for the site must be purged (possibly before a specific date
or only session cookies), that would greatly help framework and
infrastructure component authors to perform some cleanups by default.
These in my opinion are very low hanging fruits which can already improve
the situation a lot, first by giving the control back to users, second by
creating incentives for site operators to try to appear better than others
instead of just saying "I'm forcing you to accept these terms because I'm
required to by the laws of your country".
Regards,
Willy
Received on Tuesday, 28 August 2018 08:06:23 UTC