W3C home > Mailing lists > Public > public-privacy@w3.org > January to March 2015

Re: Super Cookies in Privacy Browsing mode

From: Christine Runnegar <runnegar@isoc.org>
Date: Thu, 8 Jan 2015 22:49:43 +0000
To: David Singer <singer@apple.com>
CC: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <391C5EAD-6FEA-4DD9-A8FD-C5E1D671EE07@isoc.org>
Hi David,

Regarding your query about private browsing modes -

Copying from the summary of the PING meeting in November …

“ … => TAG and private browsing mode

Mark Nottingham gave an overview of the TAG’s work on browsers “private browsing mode”. The work looks at the mode for three use cases: other users, network attacker, the website itself. The aim is to provide “best class” protection in private browsing mode while not lowering privacy standards outside privacy browsing mode.

The work can be followed on the tag email list [2]. Mark hopes to have a draft ready by the January TAG face-to-face meeting."

[2] www-tag@w3.org"

Christine

On 8 Jan 2015, at 11:39 pm, David Singer <singer@apple.com> wrote:

> I think we might need a consensus definition of what private browsing mode is, and how it affects servers.  We had some offline conversation about it at the workshop.
> 
> For example, for some people ‘private browsing’ starts a sandbox that is initialized from the regular browsing context (cookies and all), but that is discarded at the end of the private browsing session.  There’s no need for supercookies to correlate the regular browsing into private browsing, as the cookies are there.  Correlating the other way will simply raise the ire of users if you are not careful, as it would persist state and hence ‘leak’ from the private session back into the general one.
> 
> I have some ideas around codifying ‘private browsing mode’ and how to communicate ‘heh, I am trying to be private here!’ to servers.  Is this a topic of interest to others?
> 
>> On Jan 8, 2015, at 12:13 , Rigo Wenning <rigo@w3.org> wrote:
>> 
>> Happy New Year!
>> 
>> Interesting article about how HTTP Strict Transport Security can be used to 
>> circumvent the protections in the private browsing mode. But it seems to be 
>> fixed in firefox >34. I don't know about the other browsers. 
>> 
>> --Rigo
> 
> David Singer
> Manager, Software Standards, Apple Inc.
> 
> 
Received on Thursday, 8 January 2015 22:50:16 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 8 January 2015 22:50:17 UTC