From ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org Mon Jan 30 13:30:45 2023 Return-Path: X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA707C17CEA9 for ; Mon, 30 Jan 2023 13:30:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.647 X-Spam-Level: X-Spam-Status: No, score=-2.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AEadhrfQCIJk for ; Mon, 30 Jan 2023 13:30:41 -0800 (PST) Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 982E4C17CEA6 for ; Mon, 30 Jan 2023 13:30:41 -0800 (PST) Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from ) id 1pMbhB-005Uel-SP for ietf-http-wg-dist@listhub.w3.org; Mon, 30 Jan 2023 21:28:09 +0000 Resent-Date: Mon, 30 Jan 2023 21:28:09 +0000 Resent-Message-Id: Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pMbh9-005UdT-LE for ietf-http-wg@listhub.w3.org; Mon, 30 Jan 2023 21:28:07 +0000 Received: from mail-ej1-f48.google.com ([209.85.218.48]) by titan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1pMbh6-007cYL-6j for ietf-http-wg@w3.org; Mon, 30 Jan 2023 21:28:07 +0000 Received: by mail-ej1-f48.google.com with SMTP id kt14so35937357ejc.3 for ; Mon, 30 Jan 2023 13:28:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wVdvdz59nLO0p0Liium+vhIPL+lo4yuQXCtRcSAwbsU=; b=Dhs6weQCKD9EcdAjVPTjfXFk2ELqgYy7qLMx7VYorT2KJjIcuhDbNdR4+DT48jfv7y mQj3O1dPa7sqsHTAyVmJ/cXSg0qRetIbZm60UdhF8PDbgnUxCOwUG8yEEVEvMoRYNVCG jipC4KIG2tZL3lwlxVmsbNQrliVEJx4zmp3EwUZQsUkSn0VDgDqjf/t5RMFLhkkF3jh7 E7uVecU0oDplWAR1Klw9rx490vZmi54aXMLz74CRp8IoKcQK1Nu59DIwAQ7Oidy78qvQ RY3t6TexlPgoitmqiyQFxqrx0F7HSRe7XsSrLcuK45DTXvSY5Mk/mLTfVJYY6pYDF1CN Xi5w== X-Gm-Message-State: AFqh2kqqp0hamg+B/wOBXmgzaa+N4wSuq3GB+JfeiWQFN8B9w8KVqENM lRYIf7oi/VVWcCad+lAEcNKcxc5CMcOVcmAuigma+A== X-Google-Smtp-Source: AMrXdXupoypqxrBKTcTYCGAi7FNkCtNLIDxQ4Zs385ckrEo/oSUDwKeeOr/9CfLSySu0T6n38Md9yEeKOC/KMvdpPac= X-Received: by 2002:a17:906:14c1:b0:7c0:b3a8:a5f9 with SMTP id y1-20020a17090614c100b007c0b3a8a5f9mr8065577ejc.154.1675114074254; Mon, 30 Jan 2023 13:27:54 -0800 (PST) MIME-Version: 1.0 References: <16133a2f-5fbe-0f7f-c2ea-e83d20fdb3cc@gmail.com> <20230130084455.6ede70c9@fabiankeil.de> <5d420b68-e4b2-34b8-1a56-a9fddf9872a0@gmail.com> In-Reply-To: <5d420b68-e4b2-34b8-1a56-a9fddf9872a0@gmail.com> From: Nick Harper Date: Mon, 30 Jan 2023 13:27:42 -0800 Message-ID: To: "Soni L." Cc: ietf-http-wg@w3.org Content-Type: multipart/alternative; boundary="0000000000005ac6da05f381e3c4" Received-SPF: none client-ip=209.85.218.48; envelope-from=nharper@nharper.org; helo=mail-ej1-f48.google.com X-W3C-Hub-Spam-Status: No, score=-3.9 X-W3C-Hub-Spam-Report: BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, W3C_AA=-1, W3C_WL=-1 X-W3C-Scan-Sig: titan.w3.org 1pMbh6-007cYL-6j e86a3ac7e232627e89c3a3b3c4f116e8 X-Original-To: ietf-http-wg@w3.org Subject: Re: Slower HTTP for privacy Archived-At: Resent-From: ietf-http-wg@w3.org X-Mailing-List: archive/latest/40721 X-Loop: ietf-http-wg@w3.org Resent-Sender: ietf-http-wg-request@w3.org Precedence: list List-Id: List-Help: List-Post: List-Unsubscribe: --0000000000005ac6da05f381e3c4 Content-Type: text/plain; charset="UTF-8" It sounds like what you want is Client Hints ( https://developer.mozilla.org/en-US/docs/Web/HTTP/Client_hints). On Mon, Jan 30, 2023 at 10:48 AM Soni L. wrote: > > > On 1/30/23 04:44, Fabian Keil wrote: > > "Soni L." wrote on 2023-01-29 at 11:45:53: > > > > > It would be appreciated if there were a slower HTTP, with more round > > > trips, explicitly designed with privacy negotiation in mind. > > > > > > Importantly, you can't leak data which you do not have. The best way > to > > > not have that data is to not receive it. > > > > > > Why does a server need to accept user agents and a bunch of other > > > unnecessary stuff if it isn't gonna use it? Doesn't it just make the > > > server more liable for no good reason? Make it possible to turn it > off! > > > Most of it can just be turned off. > > > > > > In fact, the simplest servers (static hosting) only really need the > URL > > > and the Host. Everything else is unnecessary liability. > > > > It's not exactly what you ask for, but Privoxy [0] has a > > delay-response{} response action [1] that is somewhat related. > > > > Fabian > > > > [0] > > [1] < > https://www.privoxy.org/user-manual/actions-file.html#DELAY-RESPONSE> > It's not at all what we ask for! Uh, we mean like, why does the HTTP > server have to parse and discard the User-Agent header and another 10 or > so headers which it has no use for, instead of just... not receiving > those headers in the first place? > > Why can't the client send URL and Host, then wait for the server to send > a Headers Required message, then send the required headers (which may be > none)? Yes, it takes longer (more RTTs), but the best way to improve > privacy is to not have the data in the first place. > > --0000000000005ac6da05f381e3c4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
It sounds like what you want is Client Hints (https://deve= loper.mozilla.org/en-US/docs/Web/HTTP/Client_hints).

On Mon, Jan 30, 202= 3 at 10:48 AM Soni L. <faked= me+http@gmail.com> wrote:


On 1/30/23 04:44, Fabian Keil wrote:
> "Soni L." <fakedme+http@gmail.com> wrote on 2023-01-29 at 11:45= :53:
>
> > It would be appreciated if there were a slower HTTP, with more ro= und
> > trips, explicitly designed with privacy negotiation in mind.
> >
> > Importantly, you can't leak data which you do not have. The b= est way to
> > not have that data is to not receive it.
> >
> > Why does a server need to accept user agents and a bunch of other=
> > unnecessary stuff if it isn't gonna use it? Doesn't it ju= st make the
> > server more liable for no good reason? Make it possible to turn i= t off!
> > Most of it can just be turned off.
> >
> > In fact, the simplest servers (static hosting) only really need t= he URL
> > and the Host. Everything else is unnecessary liability.
>
> It's not exactly what you ask for, but Privoxy [0] has a
> delay-response{} response action [1] that is somewhat related.
>
> Fabian
>
> [0] <https://www.privoxy.org/>
> [1] <https://www.privoxy= .org/user-manual/actions-file.html#DELAY-RESPONSE>
It's not at all what we ask for! Uh, we mean like, why does the HTTP server have to parse and discard the User-Agent header and another 10 or so headers which it has no use for, instead of just... not receiving
those headers in the first place?

Why can't the client send URL and Host, then wait for the server to sen= d
a Headers Required message, then send the required headers (which may be none)? Yes, it takes longer (more RTTs), but the best way to improve
privacy is to not have the data in the first place.

--0000000000005ac6da05f381e3c4--