Re: Slower HTTP for privacy from Soni L. on 2023-01-30 (ietf-http-wg@w3.org from January to March 2023)

From: Soni L. <fakedme+http@gmail.com>
Date: Mon, 30 Jan 2023 18:41:42 -0300
To: Nick Harper <ietf@nharper.org>
Cc: ietf-http-wg@w3.org
Message-ID: <eb8e0e06-6515-c1d5-bee7-edc3ed92ff22@gmail.com>

On 1/30/23 18:27, Nick Harper wrote:
> It sounds like what you want is Client Hints 
> (https://developer.mozilla.org/en-US/docs/Web/HTTP/Client_hints).

Roughly, but it still doesn't eliminate the existing headers altogether.

Client Hints seems to be *positive* hints only, i.e. "send these, please".

What about *negative* hints, i.e. "don't even bother sending these"? How 
do you prevent useless data from being sent?

>
> On Mon, Jan 30, 2023 at 10:48 AM Soni L. <fakedme+http@gmail.com 
> <mailto:fakedme%2Bhttp@gmail.com>> wrote:
>
>
>
>     On 1/30/23 04:44, Fabian Keil wrote:
>     > "Soni L." <fakedme+http@gmail.com
>     <mailto:fakedme%2Bhttp@gmail.com>> wrote on 2023-01-29 at 11:45:53:
>     >
>     > > It would be appreciated if there were a slower HTTP, with more
>     round
>     > > trips, explicitly designed with privacy negotiation in mind.
>     > >
>     > > Importantly, you can't leak data which you do not have. The
>     best way to
>     > > not have that data is to not receive it.
>     > >
>     > > Why does a server need to accept user agents and a bunch of other
>     > > unnecessary stuff if it isn't gonna use it? Doesn't it just
>     make the
>     > > server more liable for no good reason? Make it possible to
>     turn it off!
>     > > Most of it can just be turned off.
>     > >
>     > > In fact, the simplest servers (static hosting) only really
>     need the URL
>     > > and the Host. Everything else is unnecessary liability.
>     >
>     > It's not exactly what you ask for, but Privoxy [0] has a
>     > delay-response{} response action [1] that is somewhat related.
>     >
>     > Fabian
>     >
>     > [0] <https://www.privoxy.org/>
>     > [1]
>     <https://www.privoxy.org/user-manual/actions-file.html#DELAY-RESPONSE>
>     It's not at all what we ask for! Uh, we mean like, why does the HTTP
>     server have to parse and discard the User-Agent header and another
>     10 or
>     so headers which it has no use for, instead of just... not receiving
>     those headers in the first place?
>
>     Why can't the client send URL and Host, then wait for the server
>     to send
>     a Headers Required message, then send the required headers (which
>     may be
>     none)? Yes, it takes longer (more RTTs), but the best way to improve
>     privacy is to not have the data in the first place.
>

Received on Monday, 30 January 2023 21:41:58 UTC