- From: Toby Inkster <tai@g5n.co.uk>
- Date: Tue, 01 Feb 2011 12:07:05 +0000
- To: WebID Incubator Group WG <public-xg-webid@w3.org>
On Tue, 2011-02-01 at 11:27 +0000, WebID Incubator Group Issue Tracker wrote: > Namely, privacy is not guaranteed, an intermediary (or a > "webid/profile host") can detect a request from a server (say a bank, > a private site, an adult site, a gambling site) to a users WebID URI > and thus know the user has attempted to identify on said site. s/know the user has/suppose the user may have possibly/ My WebID is <http://tobyinkster.co.uk/#i>. Of all HTTP requests for "/" on my domain name, WebID authentication attempts make up a pretty small fraction. > This may be something which the protocol needs to address (for > instance, force TLS for dereferencing), or may be something that is > best noted and addressed by specification text (note as a security > consideration and give advice). Forcing TLS doesn't help much. The host of the profile still knows which profile was requested and when. (They probably log it.) This problem can be somewhat mitigated by providing multiple WebIDs in a single document. e.g. if Alice and Bob's WebIDs are: http://example.com/smith-family.rdf#alice http://example.com/smith-family.rdf#bob Then when an HTTP request for <http://example.com/smith-family.rdf> is made, nobody listening knows who (if anybody) is trying to authenticate. Adult sites, and others which may want to protect their users privacy, could make their HTTP requests via a proxy. -- Toby A Inkster <mailto:mail@tobyinkster.co.uk> <http://tobyinkster.co.uk>
Received on Tuesday, 1 February 2011 12:07:48 UTC