RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid from Hill, Brad on 2012-09-17 (public-webappsec@w3.org from September 2012)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 17 Sep 2012 17:07:38 +0000
To: Fred Andrews <fredandw@live.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E26666B@DEN-EXDDA-S12.corp.ebay.com>
Really, the Web App Sec WG is not chartered to address tracking and user privacy.  Again, that may be a matter of the constituency groups involved and the structure of the W3C, but it is what it is, and at the end of the day, implementer interest determines what actually gets implemented in the browser.  I agree there are important use cases for privacy and tracking, but I don't think any of us are convinced that CSP adds particularly unique capabilities for resource owners who would track users without their permission or knowledge, or that it is uniquely detrimental (or even opposed at all to) user-chosen privacy preferences.

At any rate, I will note to this group that Fred has proposed a new community group at the W3C that would be a good home to have this larger, framing discussion about technical issues with tracking and privacy in the User Agent:

"The Private User Agent Community Group is chartered to improve user privacy and user control by designing the User Agent to minimize fingerprinting and to improve the control the user has over information shared over the Web and to improve the security of the User Agent in these regards. The group seeks to standardize the designs necessary to achieve these goals, to develop extensions designed for privacy to mitigate inevitable losses of functionality, to foster consideration of privacy in the design of other Web standards, and to discuss and develop implementations and test suits. Mechanisms for expressing user privacy preferences to servers and content provides are outside the scope of this group."

I would encourage all members of WebAppSec to read more about it and, if you are so inclined, express your support at:

http://www.w3.org/community/blog/2012/09/17/proposed-group-private-user-agent-community-group/

-Brad Hill

From: Fred Andrews [mailto:fredandw@live.com]
Sent: Sunday, September 16, 2012 8:46 AM
To: Hill, Brad
Cc: public-webappsec@w3.org
Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid

Dear Brad,

Thank you again for the insights.

I appreciate that the w3c might view fingerprinting and tracking as inevitable, but their options appear to be rather constrained by interest groups.  Users do not have such constraints and UA development driven by user needs may well be able to address this issue.

Note that the firefox 'noscript' extension webpage currently reports 2,180,733 users, and the Ghostery extension 675,177 users.  There is some interest in such tools - even if they have knobs on them.

CSP could have also helped improve safety for users interested in privacy and could have complemented their needs, so it is a bit disappointing that their needs can not be considered.

It should be possible for content servers to choose to support both the published CSP and users interested in privacy by not requiring reports be returned, not depending on being able to trip their own restrictions, and not depending on DOM access.

Policy based solutions to tracking, such as DNT, just increase the fingerprint surface - its good for a laugh though.

There are many sources of leaks, but there are technical solutions to address large classes of these leaks.  I see it as quite practical for children and new web users to start with such UAs as they would be inherently safer and less of a cognitive burden.

It is true that a privacy sensitive UA would be identifiable from current standard UAs - it can probably not all be spoofed well.  These UAs would need a significant share of usage for protection.   By design and necessity they would all want to appear the same which would help improve their share.  Privacy is not an all-or-nothing matter, and improved privacy and safety may well be enough for many users.

cheers
Fred
________________________________
From: bhill@paypal-inc.com<mailto:bhill@paypal-inc.com>
To: fredandw@live.com<mailto:fredandw@live.com>; eoftedal@gmail.com<mailto:eoftedal@gmail.com>; w3c@adambarth.com<mailto:w3c@adambarth.com>
CC: public-webappsec@w3.org<mailto:public-webappsec@w3.org>
Date: Fri, 14 Sep 2012 22:16:10 +0000
Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid

Fred,



The rough consensus of folks at the W3C these days seems to be that, as currently built, tracking/fingerprinting is an almost inevitable and unavoidable consequence of the general-purpose web browser.  That's not a value judgment, just a statement of fact that's becoming more true every day.



That's why the Tracking Protection Working Group (http://www.w3.org/2011/tracking-protection/) is focusing on a policy-based solution rather than trying to make tracking technically impossible.



Users who seek to avoid the technical possibility that their browser will be fingerprinted really need to seek out a user agent that is specifically designed with that goal in mind.  Even if we surfaced to the user the option to disable reports, other parts, or all of CSP, it would only be a small part of a giant list of such opt-outs the user agent would need to provide for meaningful protection.  Such a list would be unapproachable by the average user, and just the act of customizing it would likely result in a browser that's even more uniquely identifiable than the one they started with.



We're not trying to shirk responsibility here, but it's just not a problem we can solve in this group, or even incrementally provide options that are meaningful to more than a vanishingly small fraction of users.



-Brad Hill



From: Fred Andrews [mailto:fredandw@live.com]<mailto:[mailto:fredandw@live.com]>
Sent: Friday, September 14, 2012 8:12 AM
To: Erlend Oftedal; Adam Barth
Cc: public-webappsec@w3.org<mailto:public-webappsec@w3.org>
Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid





> From: eoftedal@gmail.com<mailto:eoftedal@gmail.com>
> Date: Thu, 13 Sep 2012 22:12:44 -0700
> To: fredandw@live.com<mailto:fredandw@live.com>; w3c@adambarth.com<mailto:w3c@adambarth.com>
> CC: public-webappsec@w3.org<mailto:public-webappsec@w3.org>
> Subject: RE: CSP 1.0: relaxing mandated enforcing and monitoring to avoid
...
> But is there really a way of removing the possibility of detecting if
> CSP is implemented? The website could always just have the browser
> visit some pages with CSP enabled and see which requests come through.

Yes, if the reporting is opt-in and violations are reported to the user and cause
the embedded widget to halt.   Servers would not be able to probe using the report-only
return channel, and content that tried to trip its own restrictions to probe the clients
implementation could be detected by the client and alert the user or be inhibited.

cheers
Fred
Received on Monday, 17 September 2012 17:08:13 UTC