Re: Alt-Svc Privacy Concerns
Phil Lello <phil@dunlop-lello.uk> Sat, 09 April 2016 18:32 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC22A12D0F1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 9 Apr 2016 11:32:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.016
X-Spam-Level:
X-Spam-Status: No, score=-6.016 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dunlop-lello-uk.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e9Bcgr2IqUlE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 9 Apr 2016 11:32:16 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C76B212D0EF for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 9 Apr 2016 11:32:15 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aoxab-0002t6-Cp for ietf-http-wg-dist@listhub.w3.org; Sat, 09 Apr 2016 18:26:33 +0000
Resent-Date: Sat, 09 Apr 2016 18:26:33 +0000
Resent-Message-Id: <E1aoxab-0002t6-Cp@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <phil@dunlop-lello.uk>) id 1aoxaX-0002sG-0d for ietf-http-wg@listhub.w3.org; Sat, 09 Apr 2016 18:26:29 +0000
Received: from mail-lf0-f43.google.com ([209.85.215.43]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <phil@dunlop-lello.uk>) id 1aoxaV-0007ZX-Gc for ietf-http-wg@w3.org; Sat, 09 Apr 2016 18:26:28 +0000
Received: by mail-lf0-f43.google.com with SMTP id e190so110220333lfe.0 for <ietf-http-wg@w3.org>; Sat, 09 Apr 2016 11:26:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dunlop-lello-uk.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=m5m2Okdb6qRpXjEFQ01UkHH1+t7dgKzz63J/iVwt60E=; b=VT1NWdXGn9DDWm1DkQVRfmZS5LVbVXX69mmeJD60oqQq3VSVEfOFtROALl6zmjQ4x1 2GVQk2nkMEV/bxVrQNgtX5Dohs3EgfPonHfQMojbDQGjbF35LsTZ/U+fgET2NA2rTGbc YaM8xAD7YNv8IjRQFcSLPA8eo99iDYVnmZYQ3fMx4JMuroXMu8MNlZgpydwUrcy+3Eps L/w6wdGm9DEZQbpahRg1pONjDDiRDedREOoeNpra9FPPiQBIz85ARBm9pnbNl3DOJQTr 7DPs1SZoBak+2aGae/EOeqUy1XBkHOYnGMKkgrxPpwJvDs9r+/5+wSlsRYUsaMqw2lqa a0oQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=m5m2Okdb6qRpXjEFQ01UkHH1+t7dgKzz63J/iVwt60E=; b=TOD1OkTjOax2c2qAEHd9gzSal3E3pmLFbEF6eQa3gGT5Go1CrYQUv80HqFMMX7v1cW TNCEFtEFEyJfuGtZfTCdv38Gq6iS8xdIANSjrfMSMqP5phaPND5QpWN/wNX6wOM8ECwF HqienQHfYsoCDKbGp2GdxibmQJatAt79Vdx8bEVQUNVu9BHyChuxLazbLoc4i75OYQPk qmP7L3BLQcF3O+lu9k4gJ0w2HvAYuAO3H5J09+XRnLM7BGf7Npt7tfxFjx4+YQFg/gg9 NAJms7t+0T7QFw1t9Haea6MUojzK9NdSBZus2vQA22H07UeXpfwXHobKFeOnL4/ScbZR 8r9g==
X-Gm-Message-State: AD7BkJLtmQdvCRWdoA7ZrW++8hMlDFmQGGrAQ6w+tPCQ2ugPtv6WXWigzH9V5uGt3SYAu5kEraI0KE+r9ISJWzui
MIME-Version: 1.0
X-Received: by 10.112.143.163 with SMTP id sf3mr5497029lbb.117.1460226359081; Sat, 09 Apr 2016 11:25:59 -0700 (PDT)
Received: by 10.25.27.16 with HTTP; Sat, 9 Apr 2016 11:25:59 -0700 (PDT)
In-Reply-To: <CABkgnnUr4bif_sLGYWq2CWEcZFzucjapjghF9E4HjnTvVGGfXw@mail.gmail.com>
References: <CAPofZaEG3gm79CznQuB8RdZb6hXYV7ZiBNTwYj=autVP1=_Cng@mail.gmail.com> <CABkgnnUr4bif_sLGYWq2CWEcZFzucjapjghF9E4HjnTvVGGfXw@mail.gmail.com>
Date: Sat, 09 Apr 2016 19:25:59 +0100
Message-ID: <CAPofZaEzobDStP9Pm2kSBZOMmmziu5N8bkALvb++ETdnva0K3A@mail.gmail.com>
From: Phil Lello <phil@dunlop-lello.uk>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Ryan Hamilton <rch@google.com>, Patrick McManus <mcmanus@ducksong.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="089e01227a0c6ce0fb053011711f"
Received-SPF: none client-ip=209.85.215.43; envelope-from=phil@dunlop-lello.uk; helo=mail-lf0-f43.google.com
X-W3C-Hub-Spam-Status: No, score=-5.8
X-W3C-Hub-Spam-Report: AWL=-1.151, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1aoxaV-0007ZX-Gc c4b52a02d0236c42bc8fab5cbd71b453
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Alt-Svc Privacy Concerns
Archived-At: <http://www.w3.org/mid/CAPofZaEzobDStP9Pm2kSBZOMmmziu5N8bkALvb++ETdnva0K3A@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31404
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
This is a slightly different issue than the described scenario, and I'm far from certain that the risks are adequately highlighted there. "By using unique names, servers could conceivably track client requests." seems incredibly weak to the point of being dismissive, since it suggests a per-client hostname being generated, and that it's incredibly unlikely anyone would bother. IMHO, it's quite likely that multiple seemingly unrelated sites operated by the same entity might legitimately converge users to a common servername. It's quite likely that at this point that the user agent would see these as candidates for sharing the same connection. It seems reasonable that there should at least be a recommendation for a user agent to warn users that there is significant potential for being tracked, and gain consent. On Sat, Apr 9, 2016 at 6:51 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 9 April 2016 at 14:41, Phil Lello <phil@dunlop-lello.uk> wrote: > > I'm concerned that Alt-Svc, especially used like this, is re-introducing > the > > sort of privacy issues people have been trying to eliminate with cookies > for > > years. Appologies if this has already been discussed and I missed it. > > http://httpwg.org/http-extensions/alt-svc.html#tracking >
- Alt-Svc Privacy Concerns Phil Lello
- Re: Alt-Svc Privacy Concerns Martin Thomson
- Re: Alt-Svc Privacy Concerns Phil Lello
- Re: Alt-Svc Privacy Concerns Ryan Hamilton
- Re: Alt-Svc Privacy Concerns Matthew Kerwin
- Re: Alt-Svc Privacy Concerns Phil Lello
- Re: Alt-Svc Privacy Concerns Phil Lello
- Re: Alt-Svc Privacy Concerns Matthew Kerwin
- Re: Alt-Svc Privacy Concerns Phil Lello
- Re: Alt-Svc Privacy Concerns Erik Nygren
- Re: Alt-Svc Privacy Concerns Phil Lello
- Re: Alt-Svc Privacy Concerns Mark Nottingham
- Re: Alt-Svc Privacy Concerns Phil Lello