Re: Submitted new I-D: Cache Digests for HTTP/2

Kazuho Oku <kazuhooku@gmail.com> Wed, 13 January 2016 02:35 UTC

Resent-Date: Wed, 13 Jan 2016 02:31:26 +0000
Resent-Message-Id: <E1aJBDa-0000HN-LH@frink.w3.org>
MIME-Version: 1.0
In-Reply-To: <CABCZv0piAoDnA1J+2pJ3HyF_iRwj9AaFGfonFjdKGfYr=cGZgQ@mail.gmail.com>
References: <CAAMqGzYUoCMxBxUEY9wfLOHZp7nrO4d1q5JZo=96pfEbVS1-ew@mail.gmail.com> <652C3E3A-3DA6-40BB-82FF-01A7D65FF65C@lukasa.co.uk> <CABCZv0piAoDnA1J+2pJ3HyF_iRwj9AaFGfonFjdKGfYr=cGZgQ@mail.gmail.com>
Date: Wed, 13 Jan 2016 11:30:54 +0900
Message-ID: <CANatvzx5_cLsHjPSD5gcdRmTW29LUAXXHAm3E=8C-9Q_g-PAMw@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
To: Chris Bentzel <chris@bentzel.net>
Cc: Cory Benfield <cory@lukasa.co.uk>, Alcides Viamontes E <alcidesv@zunzun.se>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=74.125.82.42; envelope-from=kazuhooku@gmail.com; helo=mail-wm0-f42.google.com
Subject: Re: Submitted new I-D: Cache Digests for HTTP/2
Archived-At: <http://www.w3.org/mid/CANatvzx5_cLsHjPSD5gcdRmTW29LUAXXHAm3E=8C-9Q_g-PAMw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list

2016-01-11 19:42 GMT+09:00 Chris Bentzel <chris@bentzel.net>:
> The draft does cover some privacy concerns (such as clearing the digest when
> cookies are cleared).
>
> One concern not covered is how to deal with cases where a client may have
> cached content from an origin with a mix of cookies. For example, if a user
> has enabled third-party cookie blocking in a browser and has visited an
> origin in both a first-party and third-party context there may be a mix of
> cached content with a session identifier cookie and no cookie.
>
> If the user re-visits that origin in a first-party context, the digest may
> reveal content retrieved in a third-party context.

Thank you for raising the concern.

My understanding is that it is already possible to track users that
reject third-party cookies using cache-based fingerprint.  The change
in this draft that such tracking becomes passive.

> One option is to treat cached content as if there is an implicit Vary:
> Cookie header and only include in the digest if it matches. The draft
> already requires only including fresh cached entries in the digest so a
> selection process for cached entries already will need to exist.

Interesting.

IMO, web browsers configured to reject third-party cookies should
ideally set implicit `Vary: host` for every entry it caches.  Doing so
not only solves passive fingerprinting (which becomes possible with
this draft), but also will prevent active fingerprinting as well
(which is already possible).

If such change cannot be made within the web browsers, then we should
look for a workaround...

> On Mon, Jan 11, 2016 at 3:16 AM, Cory Benfield <cory@lukasa.co.uk> wrote:
>>
>>
>> > On 10 Jan 2016, at 17:11, Alcides Viamontes E <alcidesv@zunzun.se>
>> > wrote:
>> >
>> > Can we embed the cache digest in a header?
>> > ——————————————————————————————
>> >
>>
>> On a personal level I am extremely nervous about shoving 24kB of data into
>> a header value. The practice of doing this for Kerberos tokens already
>> caused us to require the CONTINUATION frame unpleasantness in RFC 7540.
>> Generally speaking it seems like smuggling long strings in HTTP headers is a
>> bit of an anti-pattern, and given that HTTP/2 gives us much nicer methods of
>> transporting this kind of data it seems a shame not to use them.
>>
>> Cory
>>
>



-- 
Kazuho Oku

Re: Submitted new I-D: Cache Digests for HTTP/2 Alex Rousskov
Re: Submitted new I-D: Cache Digests for HTTP/2 Martin Thomson
Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Alex Rousskov
Re: Submitted new I-D: Cache Digests for HTTP/2 Alcides Viamontes E
Re: Submitted new I-D: Cache Digests for HTTP/2 Alex Rousskov
Re: Submitted new I-D: Cache Digests for HTTP/2 Cory Benfield
Re: Submitted new I-D: Cache Digests for HTTP/2 Chris Bentzel
Re: Submitted new I-D: Cache Digests for HTTP/2 Ilya Grigorik
Re: Submitted new I-D: Cache Digests for HTTP/2 Martin Thomson
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Alcides Viamontes E
Re: Submitted new I-D: Cache Digests for HTTP/2 Stefan Eissing
Re: Submitted new I-D: Cache Digests for HTTP/2 Stefan Eissing
Re: Submitted new I-D: Cache Digests for HTTP/2 Stefan Eissing
Re: Submitted new I-D: Cache Digests for HTTP/2 Amos Jeffries
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Stefan Eissing
Re: Submitted new I-D: Cache Digests for HTTP/2 Stefan Eissing
Re: Submitted new I-D: Cache Digests for HTTP/2 Stefan Eissing
Re: Submitted new I-D: Cache Digests for HTTP/2 Amos Jeffries
Re: Submitted new I-D: Cache Digests for HTTP/2 Ilya Grigorik
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Cory Benfield
Re: Submitted new I-D: Cache Digests for HTTP/2 Ilya Grigorik
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Martin Thomson
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Martin Thomson
Re: Submitted new I-D: Cache Digests for HTTP/2 Martin Thomson
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Stefan Eissing
Re: Submitted new I-D: Cache Digests for HTTP/2 Martin Thomson
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Martin Thomson
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Martin Thomson
Re: Submitted new I-D: Cache Digests for HTTP/2 Stefan Eissing
Re: Submitted new I-D: Cache Digests for HTTP/2 Julian Reschke
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Stefan Eissing
Re: Submitted new I-D: Cache Digests for HTTP/2 Martin Thomson
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Stefan Eissing
Re: Submitted new I-D: Cache Digests for HTTP/2 Richard Bradbury
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Martin Thomson
Re: Submitted new I-D: Cache Digests for HTTP/2 Eliezer Croitoru
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Martin Thomson
Re: Submitted new I-D: Cache Digests for HTTP/2 Eliezer Croitoru
Re: Submitted new I-D: Cache Digests for HTTP/2 Richard Bradbury
Re: Submitted new I-D: Cache Digests for HTTP/2 Amos Jeffries
Re: Submitted new I-D: Cache Digests for HTTP/2 Martin Thomson
RE: Submitted new I-D: Cache Digests for HTTP/2 Mike Bishop
Re: Submitted new I-D: Cache Digests for HTTP/2 Alcides Viamontes E
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Stefan Eissing
Re: Submitted new I-D: Cache Digests for HTTP/2 Alcides Viamontes E
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Alcides Viamontes E
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Martin Thomson
Re: Submitted new I-D: Cache Digests for HTTP/2 Alcides Viamontes E
Re: Submitted new I-D: Cache Digests for HTTP/2 Alcides Viamontes E
RE: Submitted new I-D: Cache Digests for HTTP/2 Mike Bishop
Re: Submitted new I-D: Cache Digests for HTTP/2 Alcides Viamontes E
RE: Submitted new I-D: Cache Digests for HTTP/2 Mike Bishop
Re: Submitted new I-D: Cache Digests for HTTP/2 Patrick McManus
Re: Submitted new I-D: Cache Digests for HTTP/2 Kazuho Oku
Re: Submitted new I-D: Cache Digests for HTTP/2 Alcides Viamontes E