Re: privacy considerations: can a nosy https: site probe user identity without explicit permission? from Henry Story on 2011-02-11 (public-xg-webid@w3.org from February 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 11 Feb 2011 15:19:04 +0100
To: Jan Wildeboer <jan@wildeboer.net>
Cc: Dan Brickley <danbri@danbri.org>, WebID XG <public-xg-webid@w3.org>, foaf-protocols@lists.foaf-project.org
Message-Id: <98618DF8-9273-47A1-B177-A0BE4322C114@bblfish.net>

On 11 Feb 2011, at 14:50, Jan Wildeboer wrote:

> On 02/11/2011 02:26 PM, Henry Story wrote:
> 
>> There is I think a bug in Safari (at least on OSX). If you send a certificate once to a site, Safari will always send it. Test it and file a bug report if it's still there. That is a security issue I reported, but I am not sure how responsive they are.
> 
> Is that a bug? IMHO it would be extremely annoying if I open my Laptop and all 23 open tabs start yelling at me which cert to use.
> 
> Compare it to the geolocation option. Typically the first time you visit a website the browser will ask if it is OK to share current location
> 
> - Only once (prompt everytime)
> - Always for this domain
> - Never for this domain

Yes, but that has issues of its own. Imagine some user your browser while you are not looking, or you mistakenly click on one of the buttons you just described above whilst you are in a hurry, at a point where you don't have time to look into it further, so you go and forget. Next time you go to that site it can keep a much stronger identifier on you than you ever thought.

The solution is just to show the user what certificate he is logged in under. 
In the URL bar the browser currently shows the server certificate. It should also show you in a similar what the short name in the DN of the certificate you are using in that session. By default you should be logged in as anonymous. All cookies should be tied to such a session, so that you can change identity and there be no cookie leakage.

This is a point I have made a few times, so I think it should be a deliverable to write it up, as it keeps coming up again and again, and the solution is so simple. It comes under ISSUE-14. 

> 
> Now thinking ahead, would it be an option to have a list of approved domains right in the RDF file that is referenced in the cert? That way the user is in control, regardless.

That would be the wrong place to put the control I believe. It should be visible to the user at all times.

> 
> I haven't thought it through completely yet, but IMHO a popup each and every time is annoying and will not work.

It is very annoying. But luckily there is no need for it at all. 

Henry 

> 
> Jan

Social Web Architect
http://bblfish.net/

Received on Friday, 11 February 2011 14:19:38 UTC