- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 29 Nov 2013 03:04:13 +0100
- To: cowwoc <cowwoc@bbs.darktech.org>
- Cc: Eric Rescorla <ekr@rtfm.com>, "public-media-capture@w3.org" <public-media-capture@w3.org>
* cowwoc wrote: >So in conclusion: > > 1. I agree with you. We shouldn't try to protect against fingerprinting > at all. I take it from the rate at which browser vendors add more and better ways "to fingerprint" that the goal is not protection from attackers, but rather making the "user has disabled X; you tried to work around that; you got caught, fined, and stopped"-style flow easy and obvious. You can take "outbound link tracking" as an example. If you use the proposed `<a ping>` attribute, you would be using a HTML standard feature exactly for its intended purpose. It would be hard for data protection officials to argue you are doing something you should not. If instead you do the same with 200 lines of convoluted JS code with browser switches and server redirects and whatnot, it's pretty easy. > 2. If we want to protect against fingerprinting, I still advocate > tackling it in a consistent manner instead of tackling each API > point on its own. Actually http://www.w3.org/DesignIssues/Principles.html many of the "fingerprinting" issues come from ignoring the "Principle of Least Power" and allowing powerful machines where simpler ones suffice. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Friday, 29 November 2013 02:04:41 UTC