- From: Willy Tarreau <w@1wt.eu>
- Date: Tue, 28 Aug 2018 10:05:49 +0200
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Mike West <mkwst@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
Hi Martin, On Tue, Aug 28, 2018 at 05:25:24PM +1000, Martin Thomson wrote: > But as long as those use cases align with things like > tracking, I think that we ultimately need to consider some classes of > breakage to be on the table. In my opinion every hard-breakage makes the situation worse. Look at the result of the GDPR crap : as already anticipated, it's impossible to access any simple web site without having to click multiple "I accept to swallow everything" buttons. It's become a real pain. Has it improved privacy ? Surely not, it's got worse. In 3 months we've been trained to click everywhere without thinking anymore. And worse, some sites are now delivering a cookie to know that they asked you the question! Every time we try to enforce solutions the hard way, we make the end user experience even worse. Those of us who remember the web in 1999 with "this site is best viewed with MSIE" or "site designed for 800x600" should realize how much worse the experience has become since then, mainly over the last few years, with alerts and ask-for-consent pop-ups everywhere. What (in my opinion) works is raising awareness to the end user and leaving him the choice, because in this case the sites operators have an incentive to try to be better than the competitor in terms of UX, instead of being forced by law to be as bad. Some simple examples that come to my mind and which could improve the situation already : - when a site delivers a cookie with "too long" a duration, ask the user if he's willing to accept it or to trim the duration to a shorter one. Let the user configure the max duration before warning. Sites will learn that the shorter the duration, the least number of irritated people they have, pretty similar to the response time or lack of HTTPS these days. - when a tab is closed with session cookies in it, ask the user what to do with these cookies. This way we'll train users to use the "logout" button of the site before closing tabs, and sites to purge cookies on logout. This is much more powerful for privacy and confidentiality than just trying to redefine cookies. - support a maximum duration on session cookies, and offer the choice to the user to override it. This problem is not new, we already had to work around it in haproxy many years ago because some mobile browsers would stick for too long to the same server, thus we encode an expiration date in the cookie value to force it to be ignored. It would be way better if it could be done by the browser : it would both solve a technical problem *and* improve privacy. I even suspect that some users will want to have the ability to control the maximum cookie's life and idle time by domain. By the way, in haproxy we support both idle and life time, which allows a cookie to be dropped past a certain age, or after some inactivity period. Typical sites using it for load balancing set the max age to around a week and maximum inactivity to around 8-12 hours. This can perfectly make sense for applications as well. - add the ability for server-side equipments to purge *all* cookies for the same domain ; right now it's extremely complicated for an edge component to emit a response asking to purge all cookies upon a logout page, while I think the browser easily knows all of them. Thus if the front load balancer could detect the logout page and emit a "set-cookie: *=" or something like this to mention that all known cookies for the site must be purged (possibly before a specific date or only session cookies), that would greatly help framework and infrastructure component authors to perform some cleanups by default. These in my opinion are very low hanging fruits which can already improve the situation a lot, first by giving the control back to users, second by creating incentives for site operators to try to appear better than others instead of just saying "I'm forcing you to accept these terms because I'm required to by the laws of your country". Regards, Willy
Received on Tuesday, 28 August 2018 08:06:23 UTC