- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Sun, 18 Jan 2015 06:06:59 -0000
- To: "'Bjoern Hoehrmann'" <derhoermi@gmx.net>, "'Chris Palmer'" <palmer@google.com>
- Cc: "'Noah Mendelsohn'" <nrm@arcanedomain.com>, <www-tag@w3.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Bjoern Hoehrmann [mailto:derhoermi@gmx.net] > Sent: 18 January 2015 02:03 > To: Chris Palmer > Cc: Noah Mendelsohn; www-tag@w3.org > Subject: Re: Verizon Wireless ISP-injected tracking info used to reconstruct > deleted cookies > > * Chris Palmer wrote: > >A code-signed browser from a trustworthy source, consulting only its > >own trust anchor store and/or enforcing key pinning and/or enforcing > >Certificate Transparency, can generally enforce the guarantees of > >HTTPS (which include stopping these cookie insertion attacks). > > > >Of course, if the platform is under the control of someone other than > >the owner, such as the carrier, the platform can subvert any > >application at run-time. > > > >That underscores the importance of getting one's platform from a > >trustworthy vendor. But that problem is entirely outside of TAG's > >scope. > > When you use an Acme browser on an Acme phone running the Acme OS to > access Acme web services over Internet services provided by Acme, to > clarify your terminology, what would be "your platform", would you be > the "owner" of it, and would it be under "your control"? +1. Even if the browser, OS were under your control you have no control over what the web application is doing with your data. Not only could it be being shared with servers through third-party sub-requests, it can also be passed server-server to thousands of other entities and often is. Link security != privacy. Privacy needs the rule of law not total secrecy. > Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de > D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de > Available for hire in Berlin (early 2015) · http://www.websitedev.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using gpg4o v3.4.19.5391 - http://www.gpg4o.com/ Charset: utf-8 iQEcBAEBAgAGBQJUu02CAAoJEHMxUy4uXm2JXNAIAOs4m5TT6NJKmflBDWzv3bHS PvTI+kW7gU4zmhEM0pHEdh/imYqG9v+pRULT2lkIFN3iHAzXXoFkAoKtF8QGGPLL uhnNY5NUb6GND5/PQ7Ngds08v5/y7LFqk1tkzMVnlspCuTHct42GAC3+gejoyWPJ oBkIeHY0vi9Df92gKVpe4wIUprywsmB1nJedKfg/pFANwClkOjPvqZsnB06KIOTg EcRxmm0B9IlX/kCnB8HLtHaMbPk9YZNVrd+hGVydShpGsO+AOng7sHGPp9NyahTU 6+07Ntp7RWI0mE3GwMKJJqH31QgjnL34MHp6q0zDJhSzBge0HPXqNnbqBYpCHtg= =pmS+ -----END PGP SIGNATURE-----
Received on Sunday, 18 January 2015 06:08:18 UTC