Re: Alt-Svc Privacy Concerns from Phil Lello on 2016-04-09 (ietf-http-wg@w3.org from April to June 2016)

From: Phil Lello <phil@dunlop-lello.uk>
Date: Sat, 9 Apr 2016 19:25:59 +0100
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Ryan Hamilton <rch@google.com>, Patrick McManus <mcmanus@ducksong.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAPofZaEzobDStP9Pm2kSBZOMmmziu5N8bkALvb++ETdnva0K3A@mail.gmail.com>

This is a slightly different issue than the described scenario, and I'm far
from certain that the risks are adequately highlighted there.

"By using unique names, servers could conceivably track client requests."
seems incredibly weak to the point of being dismissive, since it suggests a
per-client hostname being generated, and that it's incredibly unlikely
anyone would bother.

IMHO, it's quite likely that multiple seemingly unrelated sites operated by
the same entity might legitimately converge users to a common servername.
It's quite likely that at this point that the user agent would see these as
candidates for sharing the same connection. It seems reasonable that there
should at least be a recommendation for a user agent to warn users that
there is significant potential for being tracked, and gain consent.

On Sat, Apr 9, 2016 at 6:51 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 9 April 2016 at 14:41, Phil Lello <phil@dunlop-lello.uk> wrote:
> > I'm concerned that Alt-Svc, especially used like this, is re-introducing
> the
> > sort of privacy issues people have been trying to eliminate with cookies
> for
> > years. Appologies if this has already been discussed and I missed it.
>
> http://httpwg.org/http-extensions/alt-svc.html#tracking
>

Received on Saturday, 9 April 2016 18:26:29 UTC