Forwarding this idea along to httpbis as you (Stephen) suggested.
Although this could be retrofitted onto existing HTTP, not just
httpbis, since it's merely recommending practices which are already
legal in HTTP.
On Sep 13, 2013, at 5:17 AM, Stephen Farrell wrote:
On 09/13/2013 04:12 AM, Patrick Pelletier wrote:
On 9/12/13 1:18 PM, Dave Crocker wrote:
"privacy properties of IETF protocols and concrete ways in which
those could be improved."
One obvious thing is the amount of (usually unnecessary) information
leaked by the User-Agent field in HTTP.
Should we downgrade the User-Agent field (section 14.43 of RFC 2616)
from a SHOULD to a MAY?
I think everyone finds those values problematic, and not only for
privacy reasons. But yes, if you believe [1] then its probably the
biggest contributor to browser fingerprinting that's in an IETF
spec. (No idea if that site's evaluation is sound myself though.)
[1] https://panopticlick.eff.org/
Or, if that's too radical, should we standardize a small number of
fixed
strings to use in the User-Agent field? (For example, "Desktop/
1.0" for
desktop browsers, "Mobile/1.0" for mobile browsers, "Text/1.0" for
text
browsers like Lynx, "Batch/1.0" for non-interactive clients like curl
which are performing a task more specific than crawling the web, and
"Robot/1.0" for clients which are crawling the web?)
Interesting. An IANA registry of those kinds of value might just end
up like the UA string though, which also started out nice and simple.
I agree that things always start out simple and get messy. However, I
think there are some differences:
* The original User-Agent field was not designed with privacy in
mind. In fact, it was designed specifically to identify the product
and version the user is using. So, with a different goal (privacy
first), we will hopefully get different results.
* By specifying only a single product token, omitting comments, and
fixing the version number at 1.0, we've already eliminated a fair
amount of information. And then we further limit the information by
making the product name not the actual name of the software, but
merely a generic indication of the type of User-Agent; whatever is the
minimal amount of information necessary for any legitimate browser
sniffing that needs to occur. (Such as differentiating desktop and
mobile clients.)
And, of course, using the simplified User-Agent strings was just one
of my two proposals. My other proposal, which was even simpler,
though perhaps more radical, was to downgrade the requirement on User-
Agent from SHOULD to MAY, and encourage browsers not to send User-
Agent at all. (We could even change it to a SHOULD NOT if we feel
really heavy-handed.) One could argue that by using other techniques
such as responsive layout, no browser sniffing should be necessary at
all.
Maybe ask this on httpbis if you don't get more feedback here? That's
where you'd find folks who know if it could be done and who could do
it.
--Patrick
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
