Re: Slower HTTP for privacy from Jeffrey Yasskin on 2023-01-30 (ietf-http-wg@w3.org from January to March 2023)

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Mon, 30 Jan 2023 14:11:59 -0800
To: "Soni L." <fakedme+http@gmail.com>
Cc: ietf-http-wg@w3.org
Message-ID: <CANh-dX=hpx-QnUM_7drKUHtMiT7jUXxkBT7nTh6_LCO69vL7pg@mail.gmail.com>

The negative choices are up to individual clients. For example, Chrome's
User-Agent reduction <https://www.chromium.org/updates/ua-reduction/>
depends on certain client hints
<https://wicg.github.io/ua-client-hints/#http-ua-hints> being available,
but it's a separate change.

Jeffrey

On Mon, Jan 30, 2023 at 1:42 PM Soni L. <fakedme+http@gmail.com> wrote:

>
>
> On 1/30/23 18:27, Nick Harper wrote:
>
> It sounds like what you want is Client Hints (
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Client_hints).
>
>
> Roughly, but it still doesn't eliminate the existing headers altogether.
>
> Client Hints seems to be *positive* hints only, i.e. "send these, please".
>
> What about *negative* hints, i.e. "don't even bother sending these"? How
> do you prevent useless data from being sent?
>
>
> On Mon, Jan 30, 2023 at 10:48 AM Soni L. <fakedme+http@gmail.com> wrote:
>
>>
>>
>> On 1/30/23 04:44, Fabian Keil wrote:
>> > "Soni L." <fakedme+http@gmail.com> wrote on 2023-01-29 at 11:45:53:
>> >
>> > > It would be appreciated if there were a slower HTTP, with more round
>> > > trips, explicitly designed with privacy negotiation in mind.
>> > >
>> > > Importantly, you can't leak data which you do not have. The best way
>> to
>> > > not have that data is to not receive it.
>> > >
>> > > Why does a server need to accept user agents and a bunch of other
>> > > unnecessary stuff if it isn't gonna use it? Doesn't it just make the
>> > > server more liable for no good reason? Make it possible to turn it
>> off!
>> > > Most of it can just be turned off.
>> > >
>> > > In fact, the simplest servers (static hosting) only really need the
>> URL
>> > > and the Host. Everything else is unnecessary liability.
>> >
>> > It's not exactly what you ask for, but Privoxy [0] has a
>> > delay-response{} response action [1] that is somewhat related.
>> >
>> > Fabian
>> >
>> > [0] <https://www.privoxy.org/>
>> > [1] <
>> https://www.privoxy.org/user-manual/actions-file.html#DELAY-RESPONSE>
>> It's not at all what we ask for! Uh, we mean like, why does the HTTP
>> server have to parse and discard the User-Agent header and another 10 or
>> so headers which it has no use for, instead of just... not receiving
>> those headers in the first place?
>>
>> Why can't the client send URL and Host, then wait for the server to send
>> a Headers Required message, then send the required headers (which may be
>> none)? Yes, it takes longer (more RTTs), but the best way to improve
>> privacy is to not have the data in the first place.
>>
>>
>

Received on Monday, 30 January 2023 22:12:25 UTC