Re: ISSUE-105: What information should be communicated about client state? [Techniques] from Johnathan Nightingale on 2007-08-20 (public-wsc-wg@w3.org from August 2007)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Mon, 20 Aug 2007 13:11:00 -0400
To: Web Security Context Working Group WG <public-wsc-wg@w3.org>
Message-Id: <1DF1091E-7EB6-42A0-820C-A356CDD34BA2@mozilla.com>

On 19-Aug-07, at 12:31 PM, Web Security Context Working Group Issue  
Tracker wrote:

> ISSUE-105: What information should be communicated about client  
> state? [Techniques]
>
> http://www.w3.org/2006/WSC/track/issues/
>
> Raised by: Thomas Roessler
> On product: Techniques
>
> Whether or not the client keeps state that can be played back to  
> the Web site is probably relevant security context information.  
> Talking about cookie state display might be useful.
>
> However, it is by now well-known that there are a number of  
> mechanisms for keeping such state, including Flash, Google Gears,  
> and Javascript/caching tricks.
>
> Plugins and extensions can probably be dealt with by sufficiently  
> generic language that covers them. What to do about clever caching  
> of javascript code? Nothing at all?

There are, as you say, myriad ways for bad people to store tracking  
information that are difficult or impossible for browsers to detect,  
and absolutely impossible to meaningfully communicate to users.  I  
think the question for this workgroup then, with regards to this  
issue, is whether we think there's value in informing users about  
legitimate sites doing this (since they are more likely to use simple  
approaches, like cookies)?  Obviously, if presented in too hostile a  
way, even legit sites will start looking for alternates, but before  
we cross the presentation bridge, I think we should find an answer on  
the question of scope/value.

PageInfoSummary (and I apologise, I'm still catching up on last  
week's email, so Tyler's note about scoping it out, and Thomas'  
rewrite, notwithstanding) exposed certain of this information (have I  
visited before, does the site maintain cookies) in an unintrusive  
way.  Does that offer a means to answering this issue, or does it, in  
the opinion of the group, merit its own recommendation/presentation?

Cheers,

J

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Monday, 20 August 2007 17:11:25 UTC