- From: Mike Perry <mikeperry@torproject.org>
- Date: Sun, 29 May 2011 16:58:32 -0700
- To: public-web-security@w3.org
- Message-ID: <20110529235831.GD32721@fscked.org>
Thus spake Nico Williams (nico@cryptonector.com): > On Fri, May 27, 2011 at 11:54 PM, Adam Barth <w3c@adambarth.com> wrote: > > Yeah, the sites that leak data in the paper seem like the types that > > would be helped more by on-by-default protection. I'm too scared of > > what would happen if we nuked Referer by default though. :( > > Well, just what would happen? > > One guess: sites that want linkees to get referrer info will resort to > redirects, with URLs encoded in URLs (quite possibly via encryption, > to defeat URL cleaning add-ons). Yeah, the Tor Project's perspective so far has been that anything that can be transmitted via the referer will probably just move to the URL parameters if there are widespread attempts to block it. Strangely, this has been our perspective despite the fact that we could probably safely break the model without people adapting to us breaking it. We do have code to try to apply a form of origin restriction to referer transmission, but so far we've been afraid to enable it by default :). > Another guess: site operators will scream bloody murder :) > > What else? > > But if site operators use referrers as a way to purposefully (yet with > plausible deniability) leak information to selected third parties... > What else can users do but turn off Referrers? I think what makes the referer valuable is the fact that as a third party, once you can scrape PII from somewhere, you've got it for every other site the user accesses that you are sourced on because of cookie transmission, DOM storage, Flash cookies, and cache effects. You can then fill in your user profile (using stored retroactive history) from just one PII transmission at any point in time. This high amount of payoff makes me think that unless the browser is also isolating all browser state to top-level domains, the ad networks will be heavily incentivized to look to strike deals with sites to transmit all of this info encoded in URL params instead. All they need is to find some cross-section of sites who are willing to play ball for the right price. If state is isolated to top level domains, the user will be less damaged in an overall privacy sense by these partnerships, explicit or implicit, because they will not necessarily lead to continued tracking elsewhere. That said, Sid's idea of adding an inheritable noreferer to html/body seems like a good move, so content sites can at least control this relationship on their end. You're going to see attempts to subvert user control either way so long as the information has such high value for ubiquitous tracking purposes. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Received on Monday, 30 May 2011 08:10:57 UTC