IETF Logo Mail Archive

Re: A question about user tracking with QUIC

"Roy T. Fielding" <fielding@gbiv.com> Mon, 07 June 2021 19:42 UTC

Return-Path: <fielding@gbiv.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E69F73A0553 for <quic@ietfa.amsl.com>; Mon, 7 Jun 2021 12:42:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gbiv.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7kcQgNub0Do6 for <quic@ietfa.amsl.com>; Mon, 7 Jun 2021 12:42:50 -0700 (PDT)
Received: from crab.ash.relay.mailchannels.net (crab.ash.relay.mailchannels.net [23.83.222.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E0AB3A0542 for <quic@ietf.org>; Mon, 7 Jun 2021 12:42:48 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|fielding@gbiv.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 899FF540C33; Mon, 7 Jun 2021 19:42:44 +0000 (UTC)
Received: from pdx1-sub0-mail-a78.g.dreamhost.com (100-96-17-41.trex.outbound.svc.cluster.local [100.96.17.41]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 21563541DEB; Mon, 7 Jun 2021 19:42:44 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|fielding@gbiv.com
Received: from pdx1-sub0-mail-a78.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.17.41 (trex/6.3.1); Mon, 07 Jun 2021 19:42:44 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|fielding@gbiv.com
X-MailChannels-Auth-Id: dreamhost
X-White-Tank: 050580bb793749b2_1623094964377_2512402914
X-MC-Loop-Signature: 1623094964377:2400247559
X-MC-Ingress-Time: 1623094964376
Received: from pdx1-sub0-mail-a78.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a78.g.dreamhost.com (Postfix) with ESMTP id B2DA38AEEA; Mon, 7 Jun 2021 12:42:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gbiv.com; h=content-type :mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=gbiv.com; bh=Q5AzUEvbIcfkdXfMTyX9Esq5TXw=; b=SH6b/kWquusa2+5KUlVttVcqZtAj 33VziuyImG4m1pXrdO7luwSRvx/aAllGoh/AEb/mofA7TkbI3v1MsNsiti0v56E7 zmJHSYAmt++3vGMQOlyaVrKihbYHAzBO8y47sbM3E2QmJlmV95rkYMoOsMoanSFu cGkVrZJi2rCsv6g=
Received: from [192.168.1.19] (ip68-101-102-139.oc.oc.cox.net [68.101.102.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: fielding@gbiv.com) by pdx1-sub0-mail-a78.g.dreamhost.com (Postfix) with ESMTPSA id 9B3E07E450; Mon, 7 Jun 2021 12:42:41 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Subject: Re: A question about user tracking with QUIC
X-DH-BACKEND: pdx1-sub0-mail-a78
From: "Roy T. Fielding" <fielding@gbiv.com>
In-Reply-To: <20210607190027.GC5394@sources.org>
Date: Mon, 07 Jun 2021 12:42:40 -0700
Cc: IETF QUIC WG <quic@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7CE3F7FC-21C1-4519-AA60-A2FDFFC512EE@gbiv.com>
References: <20210607123854.GA16312@nic.fr> <CAC7UV9bkqOeCgDsCH+Hdq0v=zmRKNNDtpfiq6Ap_vzm5zUzGVg@mail.gmail.com> <CALGR9oZiUe5TyY3Tv432__GH=v+Lpv2EZah0G4ZD+g3E2FkaMg@mail.gmail.com> <20210607130422.GA27971@sources.org> <EE723B6D-7B6B-4B68-A4A1-F1809CF68F1B@gmail.com> <20210607142015.GA31240@sources.org> <C1B56269-0EF7-42EC-8824-70F7485807B2@gmail.com> <20210607190027.GC5394@sources.org>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/enDoX-vdolUycNqWITHOl3fTs8U>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2021 19:42:55 -0000

On Jun 7, 2021, at 12:00 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
> 
> Any specific reference to such a discussion about privacy "against"
> the server? I did not find any.

There have been many discussions about session establishment and
reestablishment.  Too many to note. However, "user tracking" is not the
term used when the same server remembers interactions with a single user.
That's more typically referred to as analytics or sessions, not tracking.

There is a relevant concern about multisite tracking on servers that
present a certificate for multiple origins, but that applies to both H2 and H3
and only if the browser chooses to reuse the same session layer across
multiple sites. Regardless, this is nothing compared to a browser's inherent
tracking features that any origin server is capable of directing for the
sake of tracking at the HTML/JS layer.

There was a conscious decision, early on, that QUIC would not attempt to
provide the same features as Tor (or any other sort of privacy broker).
It is simply impossible for a protocol to do a better job at that without
centralizing everything by default, which would then be a far greater danger
to users than individual origin sessions. Using QUIC to communicate with
a user-selected, private intermediary (like Tor) would be much better, I think,
than trying to do the same with H1/TLS or H2/TLS. Or at least it will be once
there is a large number of users using the same protocols.

> (And having important discussions on a Microsoft platform not
> controlled by the IETF is a bad idea, anyway, but I digress.)

The IETF does not have the resources to provide a comparable issue tracking
system, let alone one that manages PRs and version control for authors, while
providing extensive search capabilities at the same time. It's a tool.

....Roy

v2.23.0 | Report a Bug | By Email