Re: Improved Client Identification

On 20 February 2015 at 15:36, Sanel Mesinovic <sanel.mesinovic@ymc.ch> wrote:
> Hello,
>
> I found your email address here. Have one small contribution / request to
> make to the new HTTP 2 protocol. Already wrote an email long time ago to Tim
> Berners Lee however no reply. Maybe someone already during this time already
> raised the issue.

Unfortunately, HTTP/2 is now complete, which means this request is out
of scope for HTTP/2. You could make this request as a generic HTTP
extension, however I don't recommend it.

> In my opinion the new protocol should introduce a better way to uniquely
> identify the client. Currently it is not possible to uniquely identify a
> user. IP identification is not reliable. There can be two or more users
> behind the same IP. Session identification is even worse.

Why?

Setting a cookie absolutely does uniquely identify a client, unless
the client chooses to remove it. It also does not allow correlation
across origins. For that reason, I have to assume that the following
motivations apply to this request:

- you'd like to be able to uniquely identify a client across multiple domains
- you'd like to prevent clients from being able to opt out of tracking

I'd say that either one of these is in violation of IETF BCP 188[0],
though I admit to that being a slightly broader reading of BCP 188
than is common. IMO, clients should always be able to choose not to be
tracked, and they should certainly be free from any form of
cross-domain tracking. There is a reason that people are uncomfortable
with the way the Facebook 'like' button can be used to track users as
they move around the web: adding an easier tools to do it would not
make people happier, safer or more free.

I am confident the IETF and this WG would never dream of adding such
functionality.

[0]: https://tools.ietf.org/html/bcp188

Received on Thursday, 5 March 2015 09:44:09 UTC