Re: Super Cookies in Privacy Browsing mode from chaals@yandex-team.ru on 2015-01-09 (public-privacy@w3.org from January to March 2015)

From: <chaals@yandex-team.ru>
Date: Fri, 09 Jan 2015 03:16:49 +0300
To: Christine Runnegar <runnegar@isoc.org>, David Singer <singer@apple.com>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <275551420762609@webcorp01g.yandex-team.ru>

09.01.2015, 01:52, "Christine Runnegar" <runnegar@isoc.org>:
> Hi David,
>
> Regarding your query about private browsing modes -
>
> Copying from the summary of the PING meeting in November …
>
> “ … => TAG and private browsing mode

http://w3ctag.github.io/private-mode/ is the editors' draft.

cheers

> Mark Nottingham gave an overview of the TAG’s work on browsers “private browsing mode”. The work looks at the mode for three use cases: other users, network attacker, the website itself. The aim is to provide “best class” protection in private browsing mode while not lowering privacy standards outside privacy browsing mode.
>
> The work can be followed on the tag email list [2]. Mark hopes to have a draft ready by the January TAG face-to-face meeting."
>
> [2] www-tag@w3.org"
>
> Christine
>
> On 8 Jan 2015, at 11:39 pm, David Singer <singer@apple.com> wrote:
>>  I think we might need a consensus definition of what private browsing mode is, and how it affects servers.  We had some offline conversation about it at the workshop.
>>
>>  For example, for some people ‘private browsing’ starts a sandbox that is initialized from the regular browsing context (cookies and all), but that is discarded at the end of the private browsing session.  There’s no need for supercookies to correlate the regular browsing into private browsing, as the cookies are there.  Correlating the other way will simply raise the ire of users if you are not careful, as it would persist state and hence ‘leak’ from the private session back into the general one.
>>
>>  I have some ideas around codifying ‘private browsing mode’ and how to communicate ‘heh, I am trying to be private here!’ to servers.  Is this a topic of interest to others?
>>>  On Jan 8, 2015, at 12:13 , Rigo Wenning <rigo@w3.org> wrote:
>>>
>>>  Happy New Year!
>>>
>>>  Interesting article about how HTTP Strict Transport Security can be used to
>>>  circumvent the protections in the private browsing mode. But it seems to be
>>>  fixed in firefox >34. I don't know about the other browsers.
>>>
>>>  --Rigo
>>  David Singer
>>  Manager, Software Standards, Apple Inc.

--
Charles McCathie Nevile - web standards - CTO Office, Yandex
chaals@yandex-team.ru - - - Find more at http://yandex.com

Received on Friday, 9 January 2015 00:17:25 UTC