- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 13 Sep 2013 13:51:44 -0700
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: Patrick Pelletier <code@funwithsoftware.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, HTTP Working Group <ietf-http-wg@w3.org>, perpass@ietf.org
On 13 September 2013 13:26, Roy T. Fielding <fielding@gbiv.com> wrote: > In any case, the primary source for fingerprinting information > in browsers is the DOM interfaces, and I've seen very little to > suggest that browser developers are willing to remove them. Speaking as someone actively involved in expanding the browser fingerprinting surface, the DOM is definitely where the worst fingerprinting problems exist. That's not to say that the right response is to throw our hands up and say "the Chinese are doing nothing about climate change, why should we suffer hardship?" Putting the fact that the premise is completely wrong aside for a moment, there are things that can be done. On the down side, we're not really the right group to do it. On the up side, the browsers - who are the right people - already are doing something. There aren't that many browsers in wide use. Most of those automatically update. The number of fingerprinting bits available from User-Agent if you use one of these browsers is actually very low. The value derived from those bits is simultaneously diminishing as more capability detection moves to the DOM. It may be that at some future point, the value of User-Agent diminishes to the point that browsers will cease sending it (or they will all send the same thing). At which point it contains zero bits of fingerprint entropy. For the moment, it's still very useful in some contexts, particularly mobile, so I suspect that it would very hard to go cold turkey.
Received on Friday, 13 September 2013 20:52:11 UTC