Re: Alissa Cooper's No Objection on draft-ietf-httpbis-client-hints-14: (with COMMENT)

Yoav Weiss <yoav@yoav.ws> Wed, 17 June 2020 09:34 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 421F43A086B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Jun 2020 02:34:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.648
X-Spam-Level:
X-Spam-Status: No, score=-2.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yoav-ws.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rx9d6ACxdGOA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Jun 2020 02:34:09 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CAAB3A086A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Jun 2020 02:34:09 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jlTwR-0002SA-46 for ietf-http-wg-dist@listhub.w3.org; Wed, 17 Jun 2020 09:01:07 +0000
Resent-Date: Wed, 17 Jun 2020 09:01:07 +0000
Resent-Message-Id: <E1jlTwR-0002SA-46@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <yoav@yoav.ws>) id 1jlTwP-0002RO-Jk for ietf-http-wg@listhub.w3.org; Wed, 17 Jun 2020 09:01:05 +0000
Received: from mail-lj1-x235.google.com ([2a00:1450:4864:20::235]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <yoav@yoav.ws>) id 1jlTwN-0002do-Jc for ietf-http-wg@w3.org; Wed, 17 Jun 2020 09:01:05 +0000
Received: by mail-lj1-x235.google.com with SMTP id q19so1934569lji.2 for <ietf-http-wg@w3.org>; Wed, 17 Jun 2020 02:01:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yoav-ws.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PtUdZuQ19PfL9kqULgXCnlDWWNueMYSV4sY6orkNuM4=; b=XPJcZnCmbHaUJMdPwEpFEicv1fmJgz0qBkwiF88QAbVa7sUOx4f84qhQ9cvXVS/Wbs MHtYDnnvUafnZzPUdCXFvNWNh8Tfxl8I8CtvED4t80aoUTZ/HUnEgTsstYbPUA2QzDZD 4r6Oqj8zMDIFGTrSk/qiBrqgaDUteNaBgVC3lZPM+U4vZhejLYRhJLUt0Uf74EJH51ci zOuE4seAqcpkBVq5OXkEw9e9GEGE3SzeKMGH8AaZpNMz/UvUfplPQ6drey3AWU5gyimx HOm931QUHkyjUPYMzzuh4ChoB10MHEM2oHbNL3zmJIP/f00tdTyBMY8OQH9lHkSyjaAB jRuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PtUdZuQ19PfL9kqULgXCnlDWWNueMYSV4sY6orkNuM4=; b=UKXKuEjjZIP9wGaW9Hv4ekOxs9m+jlQoYHn/HBjW2XquhttfRNwO9uoHmzyqPgGMID NwYFxVyiVapHtmsZHxOIgGHhcZr/Kw8ymqk1cM1Pu2DxjBvOgV35VAPn8alFGqY5WSpw MoWbJpBEtpJIlTCu46OL5KK3X35ywB/EVg/HwTX3D7WQC7UnNHoFoZd5W4bU9e/9F5Aj bwVGAcfjrmGFfDRpbyaKPcdb7uU9d/gL0hY8a7QdnpFvi9DfX4rkmfJdhNM2Wk5b9GaT dVgP5kqqPAsVqthtBje+Cl+CzQeOsEpxTR+CmgOZ+eMceZbKhDxYsOskjMtSosSriWF6 2zQQ==
X-Gm-Message-State: AOAM5329KVZ7klFSxnG5p6WkmhExg9q7NgTaFqj9XHHC9z28WNuWVWpx YW7Xhhpo8X9BEIkXqZumibHQy6lGxzs6DEi9zOPEXw==
X-Google-Smtp-Source: ABdhPJxnBRXS7+H1L4M23GDHQ6wYfoMcaGA7gf1/1Bh1M7O8zZWWFfz0nA3gDhOQCP9baz7qatJpKEs3hU9H6yh+zt0=
X-Received: by 2002:a2e:3807:: with SMTP id f7mr3496226lja.234.1592384451782; Wed, 17 Jun 2020 02:00:51 -0700 (PDT)
MIME-Version: 1.0
References: <159006870863.12702.17567729594777906050@ietfa.amsl.com> <CABcZeBNNfu8_JKjN=R1tKYujdLAiU=_Fd6Y7qytONE8Fpb7DVg@mail.gmail.com> <3DC0E897-7A17-4113-846A-775B1824036A@cooperw.in>
In-Reply-To: <3DC0E897-7A17-4113-846A-775B1824036A@cooperw.in>
From: Yoav Weiss <yoav@yoav.ws>
Date: Wed, 17 Jun 2020 11:00:35 +0200
Message-ID: <CACj=BEg4PcyjAenoKCVLTeqWJstGi4xkE7UQdznL8M4=7om1wQ@mail.gmail.com>
To: Alissa Cooper <alissa@cooperw.in>
Cc: Eric Rescorla <ekr@rtfm.com>, IESG <iesg@ietf.org>, draft-ietf-httpbis-client-hints@ietf.org, httpbis-chairs@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, Mark Nottingham <mnot@mnot.net>
Content-Type: multipart/alternative; boundary="00000000000098442105a843e506"
Received-SPF: pass client-ip=2a00:1450:4864:20::235; envelope-from=yoav@yoav.ws; helo=mail-lj1-x235.google.com
X-W3C-Hub-Spam-Status: No, score=-8.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jlTwN-0002do-Jc b7bc0706f3b206813e874383e31029f4
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Alissa Cooper's No Objection on draft-ietf-httpbis-client-hints-14: (with COMMENT)
Archived-At: <https://www.w3.org/mid/CACj=BEg4PcyjAenoKCVLTeqWJstGi4xkE7UQdznL8M4=7om1wQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37781
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Thu, May 21, 2020 at 6:33 PM Alissa Cooper <alissa@cooperw.in> wrote:

>
>
> On May 21, 2020, at 12:25 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
> On Thu, May 21, 2020 at 6:48 AM Alissa Cooper via Datatracker <
> noreply@ietf.org> wrote:
>
>> Alissa Cooper has entered the following ballot position for
>> draft-ietf-httpbis-client-hints-14: No Objection
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-httpbis-client-hints/
>>
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> Section 1: "passively providing such information allows servers to
>> silently
>> fingerprint the user" --> isn't pretty much all fingerprinting silent?
>>
>> Moreover, I think it would be good to explain in Section 1 that Client
>> Hints
>> provides a way for servers to actively fingerprint clients rather than
>> doing it
>> passively.
>>
>
> I actually don't think this characterization is correct. Specifically:
>
> - When something that clients unilaterally send now is replaced by a
> client hint (e.g., User-Agent) then this changes fingerprinting from
> passive to active
> - When something that you currently have to call a JS API to get is
> replaced by a client hint, then this makes it *more* passive because the
> server only has to take one action to get the hint indefinitely.
>
>
> Maybe this could be explained in the draft? The second bit didn’t really
> come through.
>

I have to say that I don't necessarily agree with the second sentence.
I don't think that "passive" vs. "active" fingerprinting is a spectrum.
IMO, "passive" describes undetectable fingerprinting whereas "active"
describes one that's detectable. The fact that Client Hints get updated
over time doesn't make them less detectable.
AFAIK, we don't consider e.g. CSS Media Queries to be a "more passive"
fingerprinting vector then their equivalent JS APIs. Both are active, as
their use is detectable on the client (including when they update the
information they expose).


> Alissa
>
>
> -Ekr
>
>
>
>>
>