- From: <bugzilla@jessica.w3.org>
- Date: Wed, 20 Aug 2014 23:37:15 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332 --- Comment #47 from Ryan Sleevi <sleevi@google.com> --- (In reply to Joe Steele from comment #46) > When I am referring to "rogue" CDMs, I am specifically referring to CDMs > that could negatively impact user privacy in the ways described by Section 7 > "Privacy Considerations". None of these are normative. Calling them rogue CDMs is thus something that the spec doesn't really support. > > It is not clear to me at least that the CDMs that exist today are behaving > in a way that is detrimental to the user. Do you have a specific example in > mind? A hardware identifier is, in some circles (both UAs and users), viewed as detrimental to the user, blinded or not. > > The issue is that any intermediate can, for unprotected traffic, inject > > script to use that CDM and report to an arbitrary party those results. > > That's just how the web works. > > I agree with you here. But I believe we have locked down the information > that a CDM conforming to the privacy guidelines can provide to such a degree > that the available information for disclosure here is no worse than any web > application using cookies. I don't believe that this type of disclosure is > enough reason for this API to be held to a higher standard for conforming > CDMs. Respectfully, I disagree, and I'm sure most members of most security teams for most user agents would agree as well. Cookies are hardly a shining example of where we got privacy right. It took years for the "secure" flag to be introduced for cookies. User Agents are already looking at ways to reduce or prohibit cookies via HTTP. When analyzing security considerations, it's not sufficient to say something is "not worse" than that other thing - it's a question of whether we can and should do better. And the lesson from cookies - reiterated time and time again, is that yes, we should. This is not merely academic or ideological, nor is it specifically tied to non-blinded identifiers. Reports and disclosures of nation-state monitoring and espionage have included detailed descriptions of how blinded, purely random identifiers delivered via cookies are being used to target users. Introducing yet another means for users to be attacked (as the community has agreed it is, via BCP 188) is simply unnecessary. > I would consider a CDM that exposed permanent, non-blinded identifiers to be > a "rogue". However exposing an identifier that is no more privacy damaging > than a cookie does not seem like a concern to me, although some may > disagree. We have enough evidence to make strongly establish that this is indeed privacy damaging. Additionally, the mitigations of Section 7, non-normative as they are, still force users to make tradeoffs between security and privacy. That is, while you can point and suggest that a UA may generate a blinding factor when a user "clears their cookies", we know that few users do, and we know there are significant security benefits for the users that DON'T (reducing the typing of passwords, increasing the use of password managers, etc). We also know in practice that content providers are particularly hostile to users who employ these methods to preserve their privacy - often practically limiting the number of times a user may clear such identifiers. I (personally) regret to say that both Google and Netflix are among those that impose such limits, and I think it'd be hard to call us "rogue" in that respect. Thus, while they exist as mitigations on paper, we know in practice that they're insufficient, and users' will likely have these identifiers that last for years at a time. As a reminder, it's an entirely orthogonal issue as to whether two SITES receive the same identifier. An attacker in a privileged position on the network (as we have strong evidence of a number of nation-states and hostile entities being just that) can exploit a single site to obtain a persistent identifier to track that user as they browse and navigate. When thinking about how best to protect privacy and security of users, our goal should not be the minimum possible ("how it is today"), but looking at how we can maximize this, while balancing risks ("how we SHOULD do it"). Cookies have proven time and time again that we SHOULD do secure transports. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Wednesday, 20 August 2014 23:37:18 UTC