- From: Mark Nottingham <mnot@mnot.net>
- Date: Sun, 25 Dec 2016 15:47:31 -0500
- To: Nick Doty <npdoty@ischool.berkeley.edu>, Ilya Grigorik <ilya@igvita.com>
- Cc: HTTP working group mailing list <ietf-http-wg@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>, Mike O'Neill <michael.oneill@baycloud.com>
Thanks, Nick. A few responses below. > On 13 Dec 2016, at 8:08 pm, Nick Doty <npdoty@ischool.berkeley.edu> wrote: > > I share Mike's concern about the privacy issues of this proposed mechanism. It appears that this feature would ease browser fingerprinting; inhibit efforts to detect or mitigate browser fingerprinting; and expose local network information. The Security Considerations section does not adequately describe or mitigate these impacts. > > In particular, while some information exposed in these hints may already be available to client-side JavaScript in some browser implementations, making the same information available in (potentially all) HTTP requests would make fingerprinting more trivially achievable and, importantly, less detectable. Making fingerprinting detectable is a key goal given the challenge of eliminating the capability altogether and the potential harmful effects of unsanctioned tracking methods. Moving information about the user from active client-side code into HTTP requests inhibits user agents, researchers and policymakers in detecting that fingerprinting is ongoing. Right. It seems like Security Considerations needs to be rewritten with this in mind; i.e., that fingerprinting which used to require active measures could now be performed passively. > Related, adding HTTP headers for subrequests, including to static resources, exposes client information to parties that previously would not have been able to access it, and in a way where the user agent cannot detect it. The Introduction notes as a limitation that HTTP cookies are bound by the same-origin policy; we typically cite the same-origin policy as a feature of the Web privacy model, not something to be removed. In some cases, CH is necessary on sub requests for proper conneg; e.g. DPR and Width. In others, it could probably be restricted to the navigation request (e.g., Viewport-Width). Ilya, I know we'd said that much of this could be handled in the Fetch integration, but could we have some high-level constraints on when it's to be sent in this spec? > Finally, this draft includes adding access to local network information; as defined, this is potentially high entropy (as opposed to "Save-Data" which has only the "on" value) the "Downlink" header has (at least) 33 values in the cited Community Group report and user agents and can also reveal private network topology that might otherwise have been intentionally obscured. Save-Data is defined in terms of NetInfo's downlinkMax, which seems to be a double. Personally, I'd agree that having that much precision isn't terribly helpful. Ilya, as an aside -- referring to NetInfo is going to be problematic; it will likely block publication. Can we make that non-normative (or ideally, drop it)? > Mitigations could include, as Mike suggests, asking users to opt in, although explaining the details to users may be difficult. That's already discussed in Security Considerations, although we could certainly expand it. Would you mind making text suggestions? > Detectability could be improved by requiring that user agents only send client hint information in HTTP if the server has specifically requested it in an HTTP response header. How do people feel about requiring Accept-CH before sending any CH? Right now it's implied, but we could raise this to a requirement. > Specifying that hints should not be sent to other origins on subrequests would limit the unintentional spread of this client information. At that point, however, it's not entirely clear how great the functional advantage is over using existing mechanisms (like client-side JavaScript access to user agent information and explicit HTTP cookies for managing preferences). Restricting values to a smaller enumerated range is mentioned, but the specification does not provide such an enumeration or recommend its use. It seems like candidates for that would be Width, Viewport-Width and Downlink (as discussed above). AFAICT Width and Viewport-Width do not require pixel precision; would rounding to the nearest 10 be sufficient? > While I'm glad to see that there has been some discussion of active/passive fingerprinting and our draft on mitigating browser fingerprinting (https://github.com/httpwg/http-extensions/issues/215), I'm not sure those issues have been substantively resolved. That implementers could potentially implement a variety of mitigations is accurate, but if we consider which of those mitigations is necessary to prevent a marked harm to user privacy, we could include some mitigations in the design, such that UA/server implementation variation doesn't determine the outcome. > > The first sentence of the Security Considerations section appears to be false. >> Client Hints defined in this specification do not expose new >> information about the user's environment beyond what is already >> available to, and can be communicated by, the application at runtime >> via JavaScript and CSS. > > Both the Downlink and Save-Data client hint, if broadly implemented, would likely reveal new information about the user's environment. Also, it's generally concerning when the first sentence of the Security Considerations section does not summarize the security or privacy issues of a specification but instead suggests to the casual reader that there's nothing to see here. > >> However, implementors >> should consider the privacy implications of various methods to enable >> delivery of Client Hints - see "Sending Client Hints" section. > > The Security Considerations section also refers to the Sending Client Hints section, but I don't understand the point it's trying to make. Is it just that user agents can use user preferences to decide whether to send client hints and could use that as a time to consider privacy implications? > > Thanks, > Nick > >> On Dec 3, 2016, at 1:58 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote: >> >> I worry that this makes fingerprinting easier for tracking servers, especially for subresources. >> It is true that these capabilities are already available via JS but only for browsing contexts and the extra turnaround forces some stickiness. This would make these granular user-agent capabilities immediately available to any resource, without need for a round trip. >> >> I think that at least the availability of a user opt-in should be a MUST. >> >> -----Original Message----- >> From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] >> Sent: 02 December 2016 18:08 >> To: i-d-announce@ietf.org >> Cc: ietf-http-wg@w3.org >> Subject: I-D Action: draft-ietf-httpbis-client-hints-03.txt >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts directories. >> This draft is a work item of the Hypertext Transfer Protocol of the IETF. >> >> Title : HTTP Client Hints >> Author : Ilya Grigorik >> Filename : draft-ietf-httpbis-client-hints-03.txt >> Pages : 13 >> Date : 2016-12-02 >> >> Abstract: >> An increasing diversity of Web-connected devices and software >> capabilities has created a need to deliver optimized content for each >> device. >> >> This specification defines a set of HTTP request header fields, >> colloquially known as Client Hints, to address this. They are >> intended to be used as input to proactive content negotiation; just >> as the Accept header field allows clients to indicate what formats >> they prefer, Client Hints allow clients to indicate a list of device >> and agent specific preferences. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-httpbis-client-hints/ >> >> There's also a htmlized version available at: >> https://tools.ietf.org/html/draft-ietf-httpbis-client-hints-03 >> >> A diff from the previous version is available at: >> https://www.ietf.org/rfcdiff?url2=draft-ietf-httpbis-client-hints-03 >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ -- Mark Nottingham https://www.mnot.net/
Received on Sunday, 25 December 2016 20:48:04 UTC