Re: Alissa Cooper's No Objection on draft-ietf-httpbis-client-hints-14: (with COMMENT)

On Thu, May 21, 2020 at 6:33 PM Alissa Cooper <alissa@cooperw.in> wrote:

>
>
> On May 21, 2020, at 12:25 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
> On Thu, May 21, 2020 at 6:48 AM Alissa Cooper via Datatracker <
> noreply@ietf.org> wrote:
>
>> Alissa Cooper has entered the following ballot position for
>> draft-ietf-httpbis-client-hints-14: No Objection
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-httpbis-client-hints/
>>
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> Section 1: "passively providing such information allows servers to
>> silently
>> fingerprint the user" --> isn't pretty much all fingerprinting silent?
>>
>> Moreover, I think it would be good to explain in Section 1 that Client
>> Hints
>> provides a way for servers to actively fingerprint clients rather than
>> doing it
>> passively.
>>
>
> I actually don't think this characterization is correct. Specifically:
>
> - When something that clients unilaterally send now is replaced by a
> client hint (e.g., User-Agent) then this changes fingerprinting from
> passive to active
> - When something that you currently have to call a JS API to get is
> replaced by a client hint, then this makes it *more* passive because the
> server only has to take one action to get the hint indefinitely.
>
>
> Maybe this could be explained in the draft? The second bit didn’t really
> come through.
>

I have to say that I don't necessarily agree with the second sentence.
I don't think that "passive" vs. "active" fingerprinting is a spectrum.
IMO, "passive" describes undetectable fingerprinting whereas "active"
describes one that's detectable. The fact that Client Hints get updated
over time doesn't make them less detectable.
AFAIK, we don't consider e.g. CSS Media Queries to be a "more passive"
fingerprinting vector then their equivalent JS APIs. Both are active, as
their use is detectable on the client (including when they update the
information they expose).


> Alissa
>
>
> -Ekr
>
>
>
>>
>

Received on Wednesday, 17 June 2020 09:01:05 UTC