- From: Matthew Kerwin <matthew@kerwin.net.au>
- Date: Sun, 10 Apr 2016 14:47:06 +1000
- To: Phil Lello <phil@dunlop-lello.uk>
- Cc: ietf-http-wg@w3.org
- Message-ID: <CACweHNBoAOX4mWjyeAw7QWmsdb=zGVkx4-t2ftpcLzZg6k1sGg@mail.gmail.com>
On 10/04/2016 4:33 AM, "Phil Lello" <phil@dunlop-lello.uk> wrote: > > This is a slightly different issue than the described scenario, and I'm far from certain that the risks are adequately highlighted there. > > "By using unique names, servers could conceivably track client requests." seems incredibly weak to the point of being dismissive, since it suggests a per-client hostname being generated, and that it's incredibly unlikely anyone would bother. > > IMHO, it's quite likely that multiple seemingly unrelated sites operated by the same entity might legitimately converge users to a common servername. It's quite likely that at this point that the user agent would see these as candidates for sharing the same connection. It seems reasonable that there should at least be a recommendation for a user agent to warn users that there is significant potential for being tracked, and gain consent. > This sounds like a UX thing -- incognito sessions oughtn't reuse connections for different URI hostnames, even if the alt-svcs point to the same name. The consent, then, is not being incognito. Is it worth documenting this risk/advice somewhere, or is it already self-evident?
Received on Sunday, 10 April 2016 04:47:35 UTC