- From: Dennis Jackson <ietf@dennis-jackson.uk>
- Date: Mon, 12 Jun 2023 12:05:11 +0100
- To: ietf-http-wg@w3.org
I'm concerned about how users are going to understand this kind of feature.
My mental model of the current best practice recommended by sensitive
sites is:
1. Users open their browser's version of private browsing.
2. Users enter the name of their website into the address bar and
perform a search (user's can't bookmark or have browser history suggest
this page due to the threat model and few users will type out proper
domains).
3. Users navigate to the site.
However, if user's neglect to use private browsing and rely on OTR mode,
their search term is still going to be saved in their browser history
and most likely in their search engine history (e.g. Google Search's Web
History). Testing this on Brave Nightly on Linux left my search term
"love is respect" in my page history after using OTR mode to visit the
site.
This information is just as useful to an abuser and means that users of
OTR may incorrectly assume it is effective in this common use case and
equivalent to using a private browsing mode. The user agent could prune
the navigation history leading to the OTR page, but this is going to
make the allow-listing safeguard ineffective against abuse since
attackers can redirect page loads to benefit from the retrospective wipe.
In the announcement post, it was highlighted that you're engaging with
academics to evaluate user understanding of this new mode. Have they
already weighed in on this question? Is it feasible to evaluate whether
this feature's privacy improvement for users navigating directly to a
sensitive site without privacy browsing outweighs the privacy reduction
for users who would have used private browsing but no longer perceive it
as necessary?
Best,
Dennis
On 08/06/2023 20:14, Shivan Kaul Sahib wrote:
> Hi folks, this is a head's up and early request for feedback:
>
> Brave is shipping support for an HTTP response header sent by a
> website that wants the client to treat the website as "off-the-record"
> i.e. not store anything in storage, not record the site visit in
> history etc. Kind of like incognito/private browsing mode but
> site-initiated and only for a specific website. The header is simple:
> it would look like `Request-OTR: 1`. Some details here:
> https://brave.com/privacy-updates/26-request-off-the-record/#request-otr-header. Currently
> we bootstrap for websites that have expressed interest in this (mainly
> websites that have help resources for domestic violence victims, which
> was the driving use-case) by preloading a list of websites into the
> browser, but it would be nice to standardize the header. We're
> considering doing the work in the HTTP WG at IETF: it's envisioned to
> be a simple header.
>
> I see that this idea was previously discussed in W3C WebAppSec:
> https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0016.html,
> and there was a draft Mozilla spec:
> https://wiki.mozilla.org/Security/Automatic_Private_Browsing_Upgrades,
> though as a CSP directive.
>
> Happy to hear what people think.
>
>
Received on Monday, 12 June 2023 11:05:24 UTC