Privacy properties of a cookie replacement (was "Re: Some half-baked thoughts about cookies.")

Hey Stephen!

Forking this into a separate thread to focus the conversation.

On Thu, Aug 16, 2018 at 9:53 AM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

> On 16/08/18 08:20, Mike West wrote:
> > On 16/08/18 03:26, Amos Jeffries wrote:
> >> As you say, its a neutral proposal. That itself places it on the losing
> >> side in the perfection-or-nothing battle.
> >
> > I agree with this assessment, and I'd suggest that we're unlikely to
> > practically deploy perfection (assuming that we can even define it!).
> This
> > proposal feels radical in some ways, and would have some interesting
> > impacts if deployed. I look forward to exploring those with y'all. :)
>
> I don't think asking that we aim for a better than ~neutral
> privacy outcome is fairly cast anything related to perfection.
> (I'm not saying anyone's being unfair, it's just not particularly
> useful rhetoric;-)
>

I take that point, thanks.


> I do think we ought try for, and perhaps require, any long
> term cookie dis/re-placement scheme have better privacy
> properties than the current miasma.
>

I suspect that we'll agree on this, as "better" doesn't seem difficult to
achieve with respect to the status quo.


> I fully agree that aiming for better than ~neutral makes a
> hard problem harder though, and maybe we'd find that there's
> no feasible approach. OTOH, in one recent case (SNI encryption),
> we do seem to have made progress despite that problem appearing
> practically unsolveable for quite a while.
>
> What I'm asking is that, if doing this, we aim for a real
> improvement in privacy too, and include relevant actors and
> incentives in the analysis. We might fail to meet that goal
> of course, but I reckon we really ought try.
>

I agree that it would be helpful to spell out the axes along which we think
cookies need improvement from a privacy perspective. In this thread, I've
talked about the ways in which this proposal impacts two privacy-relevant
aspects of cookies:

1.  They are potentially delivered in plaintext.
2.  They enable third-party tracking.

I think this proposal has significantly positive impact on the first
insofar as it prevents plaintext delivery, and minorly positive impact on
the second insofar as it requires an initial same-site request in order to
enable subsequent cross-site delivery.

I'm sure, however, that there's a lot more here to discuss, and that y'all
have thought about the problem deeply over the years. For instance, you
mentioned incentives for UAs and servers to behave in more privacy-friendly
ways: did you have anything in particular in mind?

Thanks!

-mike

Received on Thursday, 16 August 2018 08:57:32 UTC