W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Eric Mill <eric@konklone.com>
Date: Tue, 15 Sep 2015 00:06:24 -0400
Message-ID: <CANBOYLVC5iBFy6VOvp7vaTipjTKr53bg5EEZWw_RD7=96z3ZQA@mail.gmail.com>
To: Rigo Wenning <rigo@w3.org>
Cc: Henry Story <henry.story@co-operating.systems>, public-web-security@w3.org, "Mike O'Neill" <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Sep 14, 2015 at 1:08 PM, Rigo Wenning <rigo@w3.org> wrote:

>
> thanks for the cross-linking. The same argumentation has already be used
> during the rechartering of the WebCrypto Group. The privacy argument used
> by
> people from one of the largest origins is funny at best. If I use my token
> with A and I use my token with B, A and B have to communicate to find out
> that
> I used them both.
>

For precision's sake: FIDO's model for U2F tokens is that A and B cannot
determine from their U2F-derived information that the same token was used
to create an account with A and and account with B, even if A and B collude
to try to determine this.

If I use my super large origin to have analytics here and advertisement
> there
> and social networking over there, all the identified data is collected by
> the
> super same origin. This makes the privacy argument in this discussion so
> interesting. Especially as it gives the big players that are already close
> to
> monopoly yet another competitive advantage.
>

This is a similar argument to the one Andreas Gal made when arguing that
Google's push for HTTPS was actually a way of shutting out competitors from
obtaining user search queries/responses.

http://andreasgal.com/2015/03/30/data-is-at-the-heart-of-search-but-who-has-access-to-it/

It's a dynamic worth understanding, and I'm thankful Andreas wrote this
post, but it doesn't follow that HTTPS is bad for users, bad for
competition, or that Google's staff are arguing for HTTPS in bad faith.

-- Eric


-- 
konklone.com | @konklone <https://twitter.com/konklone>
Received on Tuesday, 15 September 2015 04:07:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC