- From: Mark Nottingham <mnot@mnot.net>
- Date: Sat, 20 Dec 2014 18:13:28 +1100
- To: "Eric J. Bowman" <eric@bisonsystems.net>
- Cc: David Singer <singer@apple.com>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Eric, > On 20 Dec 2014, at 5:52 pm, Eric J. Bowman <eric@bisonsystems.net> wrote: > > Mark Nottingham wrote: >> >> What I find interesting is that by the numbers I’ve seen and talked >> to people about in the industry, the vast majority of people *don’t* >> use a proxy cache; that said, what we all seem to be concerned about >> are those specific cases where they are used, and they really help. >> > > Or, don't *think* they use a proxy cache. Most industry insiders will > say conneg is irrelevant, while using conneg to implement compression, > so I have low confidence that they're aware of various devices between > themselves and the websites they access. Sorry, what’s the logical link there? You’ve lost me... > > I'm about to post this link in another response... > > http://www.cs.washington.edu/research/security/web-tripwire/nsdi-2008.pdf > > ...but it's interesting to note that aside from squid, there's no > overlap between that document's list of intermediaries, and one we came > up with on rest-discuss a few years back. They're called "transparent" > proxies for a reason, even if they don't cache, and HTTPS threatens > that entire ecosystem. That “ecosystem” is generally considered to be abusive and illegitimate by the IETF; there’s a long history of condemnation of “interception” a.k.a. “transparent” proxies in the IETF, and enumeration of lots of problems they cause. E.g., see: http://tools.ietf.org/html/rfc3143 http://tools.ietf.org/html/draft-hildebrand-middlebox-erosion-01 It also has never been a recognised mode of proxying in HTTP. >>> 3) We had an interesting offline discussion at the privacy workshop >>> on “imagine if every router on the internet did NAT”. This means >>> that the ability to trace people by IP address would be curtailed: >>> people often don’t both to reduce fingerprinting because the source >>> IP address has already ‘given the game away'. It’s an interesting >>> thought experiment, but its impact on security might be negative. >>> (And there are many other problems, notably pper-peer connections >>> for things like telephony.) >>> >>> Maybe worth a paragraph? >> >> Once one scratches the surface, you can find a multitude of security >> and privacy issues on the Web and Internet. While they’re important >> issues to consider, I’m striving to NOT make this finding the >> be-all-and-end-all of security and privacy, because it will make it >> that much difficult to agree upon, read, and understand. Small >> steps... >> > > Provided those steps are going in the right direction, vs. painting the > Web into a corner. > > FWIW, my NAT gives me away due to timezone and clock skew. Those two > data points equate to like, 1 in 500. Orthogonal, but add Opera and > 1600x1200 resolution, and four data points nail me right down. Being a > modern dinosaur really makes me stick out... > > While I can appreciate the desire for TAG to crank out a producible, I > have issues with anointing TLS when it doesn't address the root problem > of page integrity, while doing away with caching I may very well need > even more, if Net Neut goes the way of the Dodo. I’m really not following you, sorry. Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Saturday, 20 December 2014 07:13:59 UTC