- From: Carl von Loesch <c@rlos.pages.de>
- Date: Thu, 13 Jun 1996 19:23:24 +0200 (MET DST)
- To: Larry Masinter <masinter@parc.xerox.com>
- Cc: c@rlos.pages.de, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Larry Masinter typeth: | connect?"). The kind of user tracking that you're suggesting could | even be enhanced today in HTTP/1.0 by fiddling with the low order bits | of the Last-Modified date. I'm feeling warmly terrified. I guess there's nothing we can do then. | Given that almost all browsers have separate IP connectivity, it is | actually the IP address of the requestor that is the most significant | "privacy vulnerability"; the only defense is the aggregation of | multiple users behind proxies where the proxy does not forward the | identity of the requestor. I have always been using proxy servers also for that purpose. In Munich for instance about 3 universities all share one big cache server. You cannot trace back people when you get a request from such a proxy. And luckily, even if one manages to do that marking of cache-validators, he will only get a more precise idea of the number of people and their click trails, but still not get the actual host or user name. Guess I've been too paranoid while reading the specs. ;-) | although I would imagine many browsers would systematically delete all | "cache-control: private" entries systematically (perhaps as a That would be too late, as the proxy cache is no longer serving the data to other users, which is what a tracking-site would want to avoid. But nevermind. | I could imagine lengthening our already lengthy "Security | Considerations" section to point out this privacy concerns. However, In this case it would just read like an instruction booklet on how to improve user tracking.. | the alternative you offer (MD5-digest as entity tag) was considered | but not taken seriously because of the difficulty of constructing them | and validating them for entities that are constructed on the fly. Oh that's sad.. I like the idea of checking consistency and validating at once, but I can see the point. Well then I'm done and wish everyone good luck with the departure of HTTP/1.1! :^) My Regards, Carl -- ____ _______ mailto:LynX@impACT.pages.de irc:symLynX http://my.pages.de/ mailto:LynX@you.might.aswell.use.this.as.my.mail.address.no.kidding.pages.dE
Received on Thursday, 13 June 1996 10:33:03 UTC