Re: Re: Re: Keyboard events for accessible RIAs and Games

>> Well yes, implicitly you did. If a random website can figure out where keys
>> are on your keyboard (i.e. what layout you are using) it is an extra data
>> point for fingerprinting / tracking users.


> I strongly disagree with that we should sacrifice accessability and
> i18n on the altar of fingerprinting concerns.


Let's try to solve the problem rather than stating disagreement. We have - here and many, many other places - conflicting goals between enabling features and protecting users from some potential abuse. We're discussing this in order to balance both concerns without "sacrificing" anything - as long as we find a way forward.
 
> The HTTP header "accept-language" defined by HTTP 1.1 section 1.4.4 
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html already provides the users
> locale. A users locale has a strong correlation to a users keyboard layout.


This is definitely true, however for fingerprinting the devil really is in the details. So I'm that guy requesting nn-NO with an en-GB keyboard (bought laptop while living in London ages ago). Plus surfing with Opera. There's probably only one of me ;-).


> If the intent is to avoid adding identifyable bits by preventing locale sniffing
> that train is gone with accept-language.


The problem with fingerprinting is that the more bits of information we add, the easier it gets.


Anyway, we are (again) up against the old problem that browsers aren't very good at letting users say "I trust this site". IMHO browsers should have a "Trusted sites" list as a prominent part of their UI. IE's security zones was an attempt at solving this, but the implementation IMO wasn't really usable. For all I know the FirefoxOS "every site can be an app" approach is a way to get there, if the app-bookmarked-sites get extra privileges?


-- 
Hallvord R. M. Steen
Core tester, Opera Software

Received on Thursday, 31 January 2013 12:49:48 UTC