Re: Network Information API from Josh Soref on 2013-12-09 (public-device-apis@w3.org from December 2013)

From: Josh Soref <jsoref@blackberry.com>
Date: Mon, 9 Dec 2013 18:18:26 +0000
To: DAP <public-device-apis@w3.org>
Message-ID: <CECB70CF.7568%jsoref@blackberry.com>

Frederick wrote:
>this seems aligned with recent discussions elsewhere that a low level
>interface is required to allow agility in use; however I appreciate
>Anssi's goal of simplification/abstraction.

>how does this interface communicate the performance characteristics of
>each interface, or is that assumed to be known to the application (based
>on what, the names?)

Performance characteristics should be determined by using a WebPerf API to
a specific remote endpoint. There isn¹t a meaningful performance value
without a remote endpoint. (Try comparing how fast your links in China
were to Chinese sites vs. how fast your links were to US sites while you
were @ TPAC.)

>a couple of privacy questions:

>does this API enhance fingerprinting possibilities by allowing
>enumeration of interfaces?

Technically you can find this by abusing network requests (both triggering
magic dns requests to determine dns provider, and making arbitrary ip
based connections to figure out local topography).

I think that for the average web page, instead of providing ³network
added² or each new network, instead, browsers could simply provide
³network changed² when the primary network link changes. This should avoid
fingerprinting / enumeration of interfaces for the average app.

>does exposing a  persistent uuid provide user identifying information to
>applications enabling correlation of activity across applications thus
>creating a privacy risk?

So, this is a bit of a disaster of course, I¹m quite happy for it to be a
randomly generated number which is only meaningful for a single session of
a single web page - just enough so that a web site can distinguish between
the current one and the previous one or something like that.

It might instead of a uuid be a random uint4 where it promises not to
recycle the last one or two values now lost connections to the web page
and where each 

I haven¹t spent enough time trying to figure out how one would want to use
it, at some point I¹ll try to prototype an app or two based on an api
(definitely not this year, possibly not even next quarter).

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

Received on Monday, 9 December 2013 18:18:54 UTC