W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2019

Re: Migrating some high-entropy HTTP headers to Client Hints.

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 29 Jan 2019 11:06:51 +0900
Cc: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Mike West <mkwst@google.com>, Yoav Weiss <yoavweiss@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <B0D47424-A0FF-4A65-B6B6-ABDDD443D00D@mnot.net>
To: Ilya Grigorik <igrigorik@google.com>


> On 29 Jan 2019, at 8:07 am, Ilya Grigorik <igrigorik@google.com> wrote:
> 
> On Mon, Jan 7, 2019 at 11:33 PM Mark Nottingham <mnot@mnot.net> wrote:
> From an HTTP WG perspective - does anyone object to the plan that Ilya lays out below for Client Hints?
> 
> I'll take silence as lack of vocal objections and proceed as described.. Unless I hear evidence to the contrary by EOW / Feb 1st. :)

I think that's a safe assumption; thanks.

> 
> On Tue, Jan 15, 2019 at 4:15 AM Martin J. Dürst <duerst@it.aoyama.ac.jp> wrote:
> > Does that answer your question?
> 
> Partially. But let me be more specific about the threat scenario I'm 
> thinking about. Web sites use all kinds of third party services, some of 
> the main ones being advertising and analytics. All these services come 
> with installation instructions. My (easy, I'd say) guess is that these 
> installation instructions will include instructions to activate the 
> necessary third-party opt-ins for the server in question for those 
> third-party services that are interested in fingerprinting.
> 
> Given that many third-party services are interested in fingerprinting, 
> and that many Web administrators follow instructions carefully, I'd 
> guess that most sites will end up with fingerprinting third-party 
> services anyway. Those sites not interested in fingerprinting didn't 
> analyse the Accept... headers to begin with.
> 
> Hi Martin.
> 
> To echo what Mike highlighted before, I don't think we're suggesting that CH will eliminate fingerprinting. To your point, yes 3P providers will likely request that site owners grant access to these hints, but that in itself is already a significant step forward: hints are restricted to secure transports (significantly reduced fingerprinting surface area for unencrypted traffic); 1P must explicitly state what hints they want to receive (auditing); 1P must explicitly delegate permission to 3Ps (auditing and permission based access). Compare that to status quo today, where there are no signals on what data is being requested and used by whom, and most 1P's being entirely unaware of which 3P's are collecting what data from their users.
> 
> CH is not a magic bullet but the constraints it introduces — I think — offer significant accountability and transparency improvements over status quo.
> 
> ig
> 
> 
> 
> 
> 

--
Mark Nottingham   https://www.mnot.net/
Received on Tuesday, 29 January 2019 02:07:23 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 29 January 2019 02:07:24 UTC