W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

Re: ACTION-278 Hiding metadata for security reasons

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 8 Feb 2010 18:10:02 -0800
Message-ID: <5691356f1002081810h16422ec4n2b9599a0780d67e6@mail.gmail.com>
To: Tim Berners-Lee <timbl@w3.org>
Cc: John Kemp <john@jkemp.net>, Dan Connolly <connolly@w3.org>, ashok.malhotra@oracle.com, Larry Masinter <masinter@adobe.com>, Jonathan Rees <jar@creativecommons.org>, "www-tag@w3.org" <www-tag@w3.org>, "Mark S. Miller" <erights@google.com>
On Mon, Feb 8, 2010 at 5:29 PM, Tim Berners-Lee <timbl@w3.org> wrote:
>
> On 2010-02 -08, at 07:41, John Kemp wrote:
>
> Yes, I believe that to be true too - apart from the case where a URI may end
> up being transmitted to another site "automatically" by means of the Referer
> HTTP header.
>
>
> Generalizing, you could argue that client software is written so as to store
> and remember and spread URIs, unlike passwords. So passwords are stored
> hidden away in some way, but browsing history and bookmarks are not.

That seems like an enormous logical leap to take based only on the
Referer header. It is also contrary to the implementation of most
user-agents, which protect the browsing history and bookmarks from
access by presented content, just as they do passwords. Projects such
as Mozilla's Weave, which support synchronizing this information
across user-agents, also go to significant lengths to ensure the data
is never in cleartext outside the user's computer. All data is sent
encrypted and stored encrypted on Mozilla's servers. See:

http://mozillalabs.com/weave/

Clearly they believe the browser history and bookmarks is confidential
information to be protected.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Tuesday, 9 February 2010 02:10:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:19 GMT