Privacy concerns with entity tags from Carl von Loesch on 1996-06-13 (ietf-http-wg@w3.org from April to June 1996)

From: Carl von Loesch <c@rlos.pages.de>
Date: Thu, 13 Jun 1996 15:16:49 +0200 (MET DST)
To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <199606131316.PAA09015@tango.mikro.biologie.tu-muenchen.de>

Sorry Larry, but I only got around to reading this immense 1.1 spec
this week (and it's taken me several hours to do so), and I found
something that makes me worry:


Entity tags are opaque fields, right? So a server could easily append
some identificator at the end of an entity tag for the abusive purpose of
user tracking.

This can be combined with a "Cache-Control: private" to make sure
that identificator ends up in single person's caches only. So the server
gets to see every single access, and it even keeps the benefits of
local browser caching since browsers are supposed to revalidate with
an "If-NoneMatch"-GET, which the server of course replies with a
"Not Modified", yet logs the vi(s|rt)ually accessed page.

Now if you combine this with Netscape's currently in use
non-persistent "Cookie:" mechanism, the server obtains the ability to tag
every single file of his in the user's cache with one common user
identificator.

As soon as the person chooses to drop by again, unless his local
cache has faded in the meantime, your server will be able to exactly
see who the guy is.

So you end up with something like server-side persistent cookies.
This to me looks like a "privacy weakness".


Given the complexity of possibilities that opaque entity tags
combined with the new cache-control give, I'm afraid there could
be plenty of more ways to abuse their originary purpose even if I
got something wrong in the scenario above.

You may want to shoot me (since we're at last call) but I would rather
use MD5-digests, which cannot be tampered with, as hard validators for
HTTP/1.1. What's wrong with them? Why would we need opaque validators?


If I misunderstood the specs somehow (by the way my scenario is based
on draft #3 since draft #5 is currently not retrievable in text form),
or these issues have been discussed before, then just tell me and
I will shut up. Maybe you can point me to related threads in the archives
of this mailing list.

-- 
	____				_______
 mailto:LynX@impACT.pages.de	    irc:symLynX		   http://my.pages.de/
 mailto:LynX@you.might.aswell.use.this.as.my.mail.address.no.kidding.pages.dE

Received on Thursday, 13 June 1996 06:25:39 UTC