Re: scrub-referrer directive? from Mike Perry on 2011-06-13 (public-web-security@w3.org from June 2011)

From: Mike Perry <mikeperry@torproject.org>
Date: Mon, 13 Jun 2011 13:48:44 -0700
To: public-web-security@w3.org
Message-ID: <20110613204844.GD8329@fscked.org>

Thus spake Mike Perry (mikeperry@torproject.org):

> Thus spake Nico Williams (nico@cryptonector.com):
> 
> > On Fri, May 27, 2011 at 11:54 PM, Adam Barth <w3c@adambarth.com> wrote:
> > > Yeah, the sites that leak data in the paper seem like the types that
> > > would be helped more by on-by-default protection.  I'm too scared of
> > > what would happen if we nuked Referer by default though.  :(
> > 
> > Well, just what would happen?
> >
> > One guess: sites that want linkees to get referrer info will resort to
> > redirects, with URLs encoded in URLs (quite possibly via encryption,
> > to defeat URL cleaning add-ons).
> 
> Yeah, the Tor Project's perspective so far has been that anything that
> can be transmitted via the referer will probably just move to the URL
> parameters if there are widespread attempts to block it.
> 
> Strangely, this has been our perspective despite the fact that we
> could probably safely break the model without people adapting to us
> breaking it. We do have code to try to apply a form of origin
> restriction to referer transmission, but so far we've been afraid to
> enable it by default :).
> 
> > Another guess: site operators will scream bloody murder :)
> > 
> > What else?
>
> That said, Sid's idea of adding an inheritable noreferer to html/body
> seems like a good move, so content sites can at least control this
> relationship on their end. You're going to see attempts to subvert
> user control either way so long as the information has such high value
> for ubiquitous tracking purposes.

I started to feel guilty about possibly killing this thread (or at
least ending it on such a downer). For non-Tor users, even with no
third party cookies, referer leakage is more severe because of the IP
address linkability, even if it is accidental.

I also realized that Sid's idea has a converse that I thought should
be mentioned. There could be an inheritable attribute that allows
sites to request unrestricted referer transmission in a
default-off/restricted referer situation (like Private Browsing Mode).
The chrome could ask for user permission to transmit unrestricted
referers for this site, but in reality I don't think any UI is needed
from a security sense, because sites can smuggle whatever they want
into URL parameters anyways.

You then solve the "sites screaming bloody murder" point, and referer
transmission at least becomes more explicit instead of easily confused
with negligence and oversight.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Received on Monday, 13 June 2011 20:49:14 UTC