Re: I-D Action: draft-ietf-httpbis-client-hints-03.txt

Mark Nottingham <mnot@mnot.net> Fri, 03 February 2017 01:30 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0238129A65 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Feb 2017 17:30:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.119
X-Spam-Level:
X-Spam-Status: No, score=-10.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRDuG-bzvSU5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Feb 2017 17:30:13 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 419E3129615 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 2 Feb 2017 17:30:13 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cZSfZ-0005KR-E3 for ietf-http-wg-dist@listhub.w3.org; Fri, 03 Feb 2017 01:28:09 +0000
Resent-Date: Fri, 03 Feb 2017 01:28:09 +0000
Resent-Message-Id: <E1cZSfZ-0005KR-E3@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mnot@mnot.net>) id 1cZSfV-0005J2-5Z; Fri, 03 Feb 2017 01:28:05 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <mnot@mnot.net>) id 1cZSfO-0003By-RC; Fri, 03 Feb 2017 01:27:59 +0000
Received: from [192.168.3.104] (unknown [124.189.98.244]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 468DF22E1F3; Thu, 2 Feb 2017 20:27:31 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <224212CF-7955-4F83-A194-C33BC9F0A139@ischool.berkeley.edu>
Date: Fri, 3 Feb 2017 12:27:28 +1100
Cc: Ilya Grigorik <ilya@igvita.com>, HTTP working group mailing list <ietf-http-wg@w3.org>, public-privacy <public-privacy@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3E5E3BDC-3257-44CA-B1C0-2648823AF492@mnot.net>
References: <148070210225.29664.2630836091018103593.idtracker@ietfa.amsl.com> <15ba01d24d4b$bbd65ec0$33831c40$@baycloud.com> <AEB52D75-E794-468E-B954-E57A63C6EB3D@ischool.berkeley.edu> <F4E8AD6F-2981-440D-9D1F-09A5D361FD6A@mnot.net> <7AE1C62F-3899-412E-8EB3-062FDC8CFEEF@mnot.net> <224212CF-7955-4F83-A194-C33BC9F0A139@ischool.berkeley.edu>
To: Nick Doty <npdoty@ischool.berkeley.edu>
X-Mailer: Apple Mail (2.3259)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-7.6
X-W3C-Hub-Spam-Report: AWL=2.024, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1cZSfO-0003By-RC 16abdd5c9dd7f9b1859445a87cd13991
X-Original-To: ietf-http-wg@w3.org
Subject: Re: I-D Action: draft-ietf-httpbis-client-hints-03.txt
Archived-At: <http://www.w3.org/mid/3E5E3BDC-3257-44CA-B1C0-2648823AF492@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33433
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 3 Feb 2017, at 10:30 am, Nick Doty <npdoty@ischool.berkeley.edu> wrote:

>>>> Mitigations could include, as Mike suggests, asking users to opt in, although explaining the details to users may be difficult.
>>> 
>>> That's already discussed in Security Considerations, although we could certainly expand it. Would you mind making text suggestions?
>> 
>> Nick?
> 
> A draft of text that could be added to the mechanisms/mitigations paragraph:
> 
> > Implementers may

might? Otherwise people could read it as MAY.

> provide user choice mechanisms so that users may balance privacy concerns with bandwidth limitations. Implementations specific to certain use cases or threat models might avoid transmitting these headers altogether, or limit them to authenticated sessions.

s/authenticated sessions/secure contexts/ (or whatever the current terminology is)?

> Implementers should be aware that explaining the privacy implications of passive fingerprinting or network information disclosure may be challenging. 

How is this actionable?


>>>> The first sentence of the Security Considerations section appears to be false.
>>>>> Client Hints defined in this specification do not expose new
>>>>> information about the user's environment beyond what is already
>>>>> available to, and can be communicated by, the application at runtime
>>>>> via JavaScript and CSS.
> 
> Presumably this could be addressed in re-writing the Security Considerations section. A potential start to that section:
> 
> Client Hints defined in this specification may expose information about user's devices or network connections and include information in HTTP headers that may previously have been accessible through client-side scripting. Implementers should be aware of implications for new information disclosure, information disclosure to different parties and for the increased capacity for passive fingerprinting.

+1


--
Mark Nottingham   https://www.mnot.net/