Re: I-D Action: draft-ietf-httpbis-client-hints-03.txt

Nick Doty <npdoty@ischool.berkeley.edu> Thu, 02 February 2017 23:34 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FFFB1295F7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Feb 2017 15:34:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ischool-berkeley-edu.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NelYu1WB6Uzp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Feb 2017 15:34:25 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2E9A1295F5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 2 Feb 2017 15:34:24 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cZQqM-0002li-Ch for ietf-http-wg-dist@listhub.w3.org; Thu, 02 Feb 2017 23:31:10 +0000
Resent-Date: Thu, 02 Feb 2017 23:31:10 +0000
Resent-Message-Id: <E1cZQqM-0002li-Ch@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <npdoty@berkeley.edu>) id 1cZQqF-0002kF-9U for ietf-http-wg@listhub.w3.org; Thu, 02 Feb 2017 23:31:03 +0000
Received: from mail-pg0-f52.google.com ([74.125.83.52]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <npdoty@berkeley.edu>) id 1cZQq7-00067u-Rz for ietf-http-wg@w3.org; Thu, 02 Feb 2017 23:30:57 +0000
Received: by mail-pg0-f52.google.com with SMTP id 204so908401pge.0 for <ietf-http-wg@w3.org>; Thu, 02 Feb 2017 15:30:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ischool-berkeley-edu.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=94NwX6+1YY5V8jR0kFfMGQFp/X+GQp1nv/pOLI8g3MU=; b=035oEIbBSGpBMzb0o4EUB6LGqe9GyWBxc4UlVUmeXotwQZoMqLeHMCvbMGNsKxofUd Ih0SOcjKa214qqpdnWNli013fB0Z/Bbk69yU7hbICF3GpFgUU5etMWDC3yl3zjzPTLVe PdfiuGFA6GM54GpApDxw+JnXG1JFHyz5yTC3LOaNkTZFnpbd4CsWsispuN6hxntmLO9O 3edsrzTrzyUIymHzgiu06SeB1dgB/hdAw1LTA1AGgaWBM0QW+KsA5O+DwG+ZDf9FlXO5 OSad0m/rXj1vRsJlCD54hSEH83BPsTkjtqshI/4OQjgAJySGuSE9TXnn6xjPFz64OWiG a0WQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=94NwX6+1YY5V8jR0kFfMGQFp/X+GQp1nv/pOLI8g3MU=; b=hTQt+cE8Cg8cNFtG2WsAfvD4ywfcxwyCgnIhtFl21urRsTnpG6SC6HQ9p+wWG8sEuw XtaOIgYcl3U0YoTg6O8zvWOAME61qnn4mOIsFCJMuKp6Kb9ZW/TGmliqZbIDQCu0sg4U 1t5o1v9o7o6z8KVHd5OQSn5miXs8dTmBGSyuakOySyxgtL4cPPoFvTGoY/w0nhddyJDW qToqepkuuj6uUaJy6rNhx1VFyt4GHHSYFVdpxA9dZvrDos/+aofi/a2DLMrcUGPQVFs4 DvsNXzTSNRKCJw6vUjCOOIiE7E/7ZnY68dDvHEQJBGayodhthRg4xCA/7sfhj0NaEa3O eNuA==
X-Gm-Message-State: AIkVDXIHthgG02dn0r8OLKB0h3cmeWv4rYz0xvwi8ZguZhbCPPDZkdT9tkoDCvhIn2VDavgc
X-Received: by 10.84.233.193 with SMTP id m1mr16621450pln.126.1486078228747; Thu, 02 Feb 2017 15:30:28 -0800 (PST)
Received: from [192.168.1.147] (23-122-129-170.lightspeed.sntcca.sbcglobal.net. [23.122.129.170]) by smtp.gmail.com with ESMTPSA id j128sm61264174pfg.73.2017.02.02.15.30.27 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 02 Feb 2017 15:30:28 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_34BE09D5-72CF-4262-9F56-0B40AFD9646D"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Nick Doty <npdoty@ischool.berkeley.edu>
In-Reply-To: <7AE1C62F-3899-412E-8EB3-062FDC8CFEEF@mnot.net>
Date: Thu, 02 Feb 2017 15:30:24 -0800
Cc: Ilya Grigorik <ilya@igvita.com>, HTTP working group mailing list <ietf-http-wg@w3.org>, public-privacy <public-privacy@w3.org>
Message-Id: <224212CF-7955-4F83-A194-C33BC9F0A139@ischool.berkeley.edu>
References: <148070210225.29664.2630836091018103593.idtracker@ietfa.amsl.com> <15ba01d24d4b$bbd65ec0$33831c40$@baycloud.com> <AEB52D75-E794-468E-B954-E57A63C6EB3D@ischool.berkeley.edu> <F4E8AD6F-2981-440D-9D1F-09A5D361FD6A@mnot.net> <7AE1C62F-3899-412E-8EB3-062FDC8CFEEF@mnot.net>
To: Mark Nottingham <mnot@mnot.net>
X-Mailer: Apple Mail (2.3124)
Received-SPF: pass client-ip=74.125.83.52; envelope-from=npdoty@berkeley.edu; helo=mail-pg0-f52.google.com
X-W3C-Hub-Spam-Status: No, score=-5.4
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1cZQq7-00067u-Rz f34380ea2a0a9af7d1ef56ad9cd795bc
X-Original-To: ietf-http-wg@w3.org
Subject: Re: I-D Action: draft-ietf-httpbis-client-hints-03.txt
Archived-At: <http://www.w3.org/mid/224212CF-7955-4F83-A194-C33BC9F0A139@ischool.berkeley.edu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33429
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Thanks, Mark, for following up with a nudge. (CC public-privacy@w3c)

> On Jan 30, 2017, at 11:27 PM, Mark Nottingham <mnot@mnot.net> wrote:
> 
> It's been a month, and there haven't been any responses to the suggestions below. We're really close to shipping this spec, can we please get it over the line?
> 
> I've nominated stuckees below...
> 
> Cheers,
> 
>> On 26 Dec 2016, at 7:47 am, Mark Nottingham <mnot@mnot.net> wrote:
>> 
>> Thanks, Nick.
>> 
>> A few responses below.
>> 
>>> On 13 Dec 2016, at 8:08 pm, Nick Doty <npdoty@ischool.berkeley.edu> wrote:
>>> 
>>> I share Mike's concern about the privacy issues of this proposed mechanism. It appears that this feature would ease browser fingerprinting; inhibit efforts to detect or mitigate browser fingerprinting; and expose local network information. The Security Considerations section does not adequately describe or mitigate these impacts.
>>> 
>>> In particular, while some information exposed in these hints may already be available to client-side JavaScript in some browser implementations, making the same information available in (potentially all) HTTP requests would make fingerprinting more trivially achievable and, importantly, less detectable. Making fingerprinting detectable is a key goal given the challenge of eliminating the capability altogether and the potential harmful effects of unsanctioned tracking methods. Moving information about the user from active client-side code into HTTP requests inhibits user agents, researchers and policymakers in detecting that fingerprinting is ongoing.
>> 
>> Right. It seems like Security Considerations needs to be rewritten with this in mind; i.e., that fingerprinting which used to require active measures could now be performed passively.
> 
> Ilya, do you want to attempt a revision here? Would you like some help?

(One suggestion for the intro at the bottom of this message.)

>>> Related, adding HTTP headers for subrequests, including to static resources, exposes client information to parties that previously would not have been able to access it, and in a way where the user agent cannot detect it. The Introduction notes as a limitation that HTTP cookies are bound by the same-origin policy; we typically cite the same-origin policy as a feature of the Web privacy model, not something to be removed.
>> 
>> In some cases, CH is necessary on sub requests for proper conneg; e.g. DPR and Width. In others, it could probably be restricted to the navigation request (e.g., Viewport-Width).
>> 
>> Ilya, I know we'd said that much of this could be handled in the Fetch integration, but could we have some high-level constraints on when it's to be sent in this spec?
> 
> Ilya? There seem to be some similarities with <https://github.com/httpwg/http-extensions/issues/156 <https://github.com/httpwg/http-extensions/issues/156>> here.
> 
>>> Finally, this draft includes adding access to local network information; as defined, this is potentially high entropy (as opposed to "Save-Data" which has only the "on" value) the "Downlink" header has (at least) 33 values in the cited Community Group report and user agents and can also reveal private network topology that might otherwise have been intentionally obscured.
>> 
>> Save-Data is defined in terms of NetInfo's downlinkMax, which seems to be a double. Personally, I'd agree that having that much precision isn't terribly helpful.
>> 
>> Ilya, as an aside -- referring to NetInfo is going to be problematic; it will likely block publication. Can we make that non-normative (or ideally, drop it)?
> 
> Ilya?
> 
>>> Mitigations could include, as Mike suggests, asking users to opt in, although explaining the details to users may be difficult.
>> 
>> That's already discussed in Security Considerations, although we could certainly expand it. Would you mind making text suggestions?
> 
> Nick?

A draft of text that could be added to the mechanisms/mitigations paragraph:

> Implementers may provide user choice mechanisms so that users may balance privacy concerns with bandwidth limitations. Implementations specific to certain use cases or threat models might avoid transmitting these headers altogether, or limit them to authenticated sessions. Implementers should be aware that explaining the privacy implications of passive fingerprinting or network information disclosure may be challenging.

I think mitigations regarding detectability (for example, requiring Accept-CH below) won't lend themselves very well to user choice mechanisms -- detection is a mitigation against fingerprinting that isn't limited to an individual user; all users benefit when it's easier for researchers or policymakers to detect the use of unsanctioned tracking mechanisms.

>>> Detectability could be improved by requiring that user agents only send client hint information in HTTP if the server has specifically requested it in an HTTP response header.
>> 
>> How do people feel about requiring Accept-CH before sending any CH? Right now it's implied, but we could raise this to a requirement.
> 
> Anyone? Raised as <https://github.com/httpwg/http-extensions/issues/284 <https://github.com/httpwg/http-extensions/issues/284>>

I've followed up on that Github issue; such a requirement would be a privacy benefit not only in terms of minimizing data but also in terms of increasing the detectability of fingerprinting, which is one of the more important client fingerprinting mitigations.

>>> Specifying that hints should not be sent to other origins on subrequests would limit the unintentional spread of this client information. At that point, however, it's not entirely clear how great the functional advantage is over using existing mechanisms (like client-side JavaScript access to user agent information and explicit HTTP cookies for managing preferences). Restricting values to a smaller enumerated range is mentioned, but the specification does not provide such an enumeration or recommend its use.
>> 
>> It seems like candidates for that would be Width, Viewport-Width and Downlink (as discussed above).
>> 
>> AFAICT Width and Viewport-Width do not require pixel precision; would rounding to the nearest 10 be sufficient?
> 
> Ilya?
> 
>>> While I'm glad to see that there has been some discussion of active/passive fingerprinting and our draft on mitigating browser fingerprinting (https://github.com/httpwg/http-extensions/issues/215) I'm not sure those issues have been substantively resolved. That implementers could potentially implement a variety of mitigations is accurate, but if we consider which of those mitigations is necessary to prevent a marked harm to user privacy, we could include some mitigations in the design, such that UA/server implementation variation doesn't determine the outcome.
>>> 
>>> The first sentence of the Security Considerations section appears to be false.
>>>> Client Hints defined in this specification do not expose new
>>>> information about the user's environment beyond what is already
>>>> available to, and can be communicated by, the application at runtime
>>>> via JavaScript and CSS.

Presumably this could be addressed in re-writing the Security Considerations section. A potential start to that section:

Client Hints defined in this specification may expose information about user's devices or network connections and include information in HTTP headers that may previously have been accessible through client-side scripting. Implementers should be aware of implications for new information disclosure, information disclosure to different parties and for the increased capacity for passive fingerprinting.

>>> Both the Downlink and Save-Data client hint, if broadly implemented, would likely reveal new information about the user's environment. Also, it's generally concerning when the first sentence of the Security Considerations section does not summarize the security or privacy issues of a specification but instead suggests to the casual reader that there's nothing to see here.
>>> 
>>>> However, implementors
>>>> should consider the privacy implications of various methods to enable
>>>> delivery of Client Hints - see "Sending Client Hints" section.
>>> 
>>> The Security Considerations section also refers to the Sending Client Hints section, but I don't understand the point it's trying to make. Is it just that user agents can use user preferences to decide whether to send client hints and could use that as a time to consider privacy implications?
>>> 
>>> Thanks,
>>> Nick
>>> 
>>>> On Dec 3, 2016, at 1:58 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote:
>>>> 
>>>> I worry that this makes fingerprinting easier for tracking servers, especially for subresources.
>>>> It is true that these capabilities are already available via JS but only for browsing contexts and the extra turnaround forces some stickiness. This would make these granular user-agent capabilities immediately available to any resource, without need for a round trip.
>>>> 
>>>> I think that at least the availability of a user opt-in should be a MUST.