W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

Re: scrub-referrer directive?

From: Mike Perry <mikeperry@torproject.org>
Date: Sun, 29 May 2011 16:58:32 -0700
To: public-web-security@w3.org
Message-ID: <20110529235831.GD32721@fscked.org>
Thus spake Nico Williams (nico@cryptonector.com):

> On Fri, May 27, 2011 at 11:54 PM, Adam Barth <w3c@adambarth.com> wrote:
> > Yeah, the sites that leak data in the paper seem like the types that
> > would be helped more by on-by-default protection.  I'm too scared of
> > what would happen if we nuked Referer by default though.  :(
> 
> Well, just what would happen?
>
> One guess: sites that want linkees to get referrer info will resort to
> redirects, with URLs encoded in URLs (quite possibly via encryption,
> to defeat URL cleaning add-ons).

Yeah, the Tor Project's perspective so far has been that anything that
can be transmitted via the referer will probably just move to the URL
parameters if there are widespread attempts to block it.

Strangely, this has been our perspective despite the fact that we
could probably safely break the model without people adapting to us
breaking it. We do have code to try to apply a form of origin
restriction to referer transmission, but so far we've been afraid to
enable it by default :).

> Another guess: site operators will scream bloody murder :)
> 
> What else?
> 
> But if site operators use referrers as a way to purposefully (yet with
> plausible deniability) leak information to selected third parties...
> What else can users do but turn off Referrers?

I think what makes the referer valuable is the fact that as a third
party, once you can scrape PII from somewhere, you've got it for every
other site the user accesses that you are sourced on because of cookie
transmission, DOM storage, Flash cookies, and cache effects. You can
then fill in your user profile (using stored retroactive history) from
just one PII transmission at any point in time.

This high amount of payoff makes me think that unless the browser is
also isolating all browser state to top-level domains, the ad networks
will be heavily incentivized to look to strike deals with sites to
transmit all of this info encoded in URL params instead. All they need
is to find some cross-section of sites who are willing to play ball
for the right price.

If state is isolated to top level domains, the user will be less
damaged in an overall privacy sense by these partnerships, explicit or
implicit, because they will not necessarily lead to continued tracking
elsewhere.


That said, Sid's idea of adding an inheritable noreferer to html/body
seems like a good move, so content sites can at least control this
relationship on their end. You're going to see attempts to subvert
user control either way so long as the information has such high value
for ubiquitous tracking purposes.


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Received on Monday, 30 May 2011 08:10:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 30 May 2011 08:10:57 GMT