Re: Migrating some high-entropy HTTP headers to Client Hints. from Ilya Grigorik on 2019-01-28 (ietf-http-wg@w3.org from January to March 2019)

From: Ilya Grigorik <igrigorik@google.com>
Date: Mon, 28 Jan 2019 17:07:18 -0600
To: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Cc: Mike West <mkwst@google.com>, Yoav Weiss <yoavweiss@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CADXXVKoHnhkpMevpEZquPLmDEpzTmigG_nzGqBk=7SEqiJ6=Gg@mail.gmail.com>

On Mon, Jan 7, 2019 at 11:33 PM Mark Nottingham <mnot@mnot.net> wrote:

> From an HTTP WG perspective - does anyone object to the plan that Ilya
> lays out below for Client Hints?
>

I'll take silence as lack of vocal objections and proceed as described..
Unless I hear evidence to the contrary by EOW / Feb 1st. :)

On Tue, Jan 15, 2019 at 4:15 AM Martin J. Dürst <duerst@it.aoyama.ac.jp>
wrote:

> > Does that answer your question?
>
> Partially. But let me be more specific about the threat scenario I'm
> thinking about. Web sites use all kinds of third party services, some of
> the main ones being advertising and analytics. All these services come
> with installation instructions. My (easy, I'd say) guess is that these
> installation instructions will include instructions to activate the
> necessary third-party opt-ins for the server in question for those
> third-party services that are interested in fingerprinting.
>
> Given that many third-party services are interested in fingerprinting,
> and that many Web administrators follow instructions carefully, I'd
> guess that most sites will end up with fingerprinting third-party
> services anyway. Those sites not interested in fingerprinting didn't
> analyse the Accept... headers to begin with.
>

Hi Martin.

To echo what Mike highlighted before, I don't think we're suggesting that
CH will eliminate fingerprinting. To your point, yes 3P providers will
likely request that site owners grant access to these hints, but that in
itself is already a significant step forward: hints are restricted to
secure transports (significantly reduced fingerprinting surface area for
unencrypted traffic); 1P must explicitly state what hints they want to
receive (auditing); 1P must explicitly delegate permission to 3Ps (auditing
and permission based access). Compare that to status quo today, where there
are no signals on what data is being requested and used by whom, and most
1P's being entirely unaware of which 3P's are collecting what data from
their users.

CH is not a magic bullet but the constraints it introduces — I think —
offer significant accountability and transparency improvements over status
quo.

ig

Received on Monday, 28 January 2019 23:08:16 UTC