- From: Maciej Stachowiak <mjs@apple.com>
- Date: Wed, 21 Apr 2010 23:47:53 -0700
- To: "Mark S. Miller" <erights@google.com>
- Cc: Anne van Kesteren <annevk@opera.com>, Jonas Sicking <jonas@sicking.cc>, "public-webapps@w3.org" <public-webapps@w3.org>
On Apr 21, 2010, at 8:29 PM, Mark S. Miller wrote: > Thanks, the Tor example is clarifying. Tor attempts to actually > provide anonymity, by attempting to hide all information that might > be inadvertently identifying, like IP address, traffic patterns, or > other side channels. The threat model includes an attacker that may > be trying to identify the user despite the absence of any purposely > included identifying information. UniformRequests provide no such > protection, and so should not seem to promise such. Since > authorizing decisions only rely on overt information, prevention of > CSRF-like vulnerabilities need only be concerned about overt > information. Suppressing side channels is *much* harder. Considering the Tor example, would you agree that the possibility of explicitly including identifying information in message content does not invalidate the term "anonymous"? Side channels are an interesting issue, but separate from the original issue you raised of explicitly added identifying information. I tend to think that side channels also do not disqualify the word "anonymous". For example, it's common (or at least stereotypical) for employers or public places of business to have an "anonymous comment box". However, typically when someone leaves a comment their fingerprints will be all over the piece of paper, so in theory it could be traced back to them. But we don't generally think this invalidates the use of the word "anonymous". Similarly, it's common for blogs to allow anonymous comments (although some make a point of explicitly saying that they "don't allow anonymous comments", in almost those exact words). But "anonymous" comment systems take no measures to hide side-channel fingerprints, such as the IP address from which the commenter is posting. Thus, I conclude that in normal use and even in the context of information technology, the common meaning of the term anonymous can be applied to systems that do not prevent identification through side channels. I think this addresses both of your objections so far to the term "Anonymous". That being said, I'm totally open to a name that conveys the same meaning with less perceived ambiguity. I just don't think "Uniform" is it. It doesn't get across the main idea very well at all. We need a phrase that says "the browser won't automatically add any credentials, identifying information or ambient authority". Regards, Maciej
Received on Thursday, 22 April 2010 06:48:57 UTC