Re: UMP / CORS: Implementor Interest

On Apr 21, 2010, at 8:29 PM, Mark S. Miller wrote:

> Thanks, the Tor example is clarifying. Tor attempts to actually  
> provide anonymity, by attempting to hide all information that might  
> be inadvertently identifying, like IP address, traffic patterns, or  
> other side channels. The threat model includes an attacker that may  
> be trying to identify the user despite the absence of any purposely  
> included identifying information. UniformRequests provide no such  
> protection, and so should not seem to promise such. Since  
> authorizing decisions only rely on overt information, prevention of  
> CSRF-like vulnerabilities need only be concerned about overt  
> information. Suppressing side channels is *much* harder.

Considering the Tor example, would you agree that the possibility of  
explicitly including identifying information in message content does  
not invalidate the term "anonymous"?

Side channels are an interesting issue, but separate from the original  
issue you raised of explicitly added identifying information.

I tend to think that side channels also do not disqualify the word  
"anonymous". For example, it's common (or at least stereotypical) for  
employers or public places of business to have an "anonymous comment  
box". However, typically when someone leaves a comment their  
fingerprints will be all over the piece of paper, so in theory it  
could be traced back to them. But we don't generally think this  
invalidates the use of the word "anonymous". Similarly, it's common  
for blogs to allow anonymous comments (although some make a point of  
explicitly saying that they "don't allow anonymous comments", in  
almost those exact words). But "anonymous" comment systems take no  
measures to hide side-channel fingerprints, such as the IP address  
from which the commenter is posting.

Thus, I conclude that in normal use and even in the context of  
information technology, the common meaning of the term anonymous can  
be applied to systems that do not prevent identification through side  
channels.

I think this addresses both of your objections so far to the term  
"Anonymous".

That being said, I'm totally open to a name that conveys the same  
meaning with less perceived ambiguity. I just don't think "Uniform" is  
it. It doesn't get across the main idea very well at all. We need a  
phrase that says "the browser won't automatically add any credentials,  
identifying information or ambient authority".

Regards,
Maciej

Received on Thursday, 22 April 2010 06:48:57 UTC