Re: Alt-Svc Privacy Concerns from Phil Lello on 2016-04-10 (ietf-http-wg@w3.org from April to June 2016)

From: Phil Lello <phil@dunlop-lello.uk>
Date: Sun, 10 Apr 2016 11:30:23 +0100
To: Ryan Hamilton <rch@google.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAPofZaEzLuyXsNC4CsHOkte_4-8N-hcVk8en6Vs=3tB9rhC2Ow@mail.gmail.com>

On Sun, Apr 10, 2016 at 5:04 AM, Ryan Hamilton <rch@google.com> wrote:

> On Sat, Apr 9, 2016 at 10:41 AM, Phil Lello <phil@dunlop-lello.uk> wrote:
>
>> Specifically, although I know that, for example, google.com and
>> youtube.com, are tightly related, the average user might not. Over a TLS
>> end-to-end connection, Alt-Svc seems to make it easy to track activities
>> between domains without user knowledge or consent. Ditto for
>> blog1.wordpress.com and blog2.wordpress.com.
>>
>
> Cookies can already be set on wordpress.com which would apply to blog1
> and blog2 so isn't the tracking your are describing already possible?
>
> Yes, in the common base domain scenario, it's already possible, but
requires design choices by the hosted application(s) to set domain-level
cookies. In cross-domain scenarios, it's as bad for privacy as 3rd party
cookies. Alt-Svc abstracts the behaviour up to at least the webserver
level, if not out to the network edge.

Received on Sunday, 10 April 2016 10:30:52 UTC