Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

W3C Group Proposed To Safeguard User Agent State Privacy

timothy posted about 2 years ago | from the dry-title-but-juicy-facts dept.

Privacy 76

First time accepted submitter FredAndrews writes "A Private User Agent W3C Community Group has been proposed to tackle the privacy of the web browser by developing technical solutions to close the leaks. Current Javascript APIs are capable of leaking a lot of information as we browse the Internet, such as details of our browser that can be used to identify and track our online presence, and the content on the page (including any private customizations and the effects of extensions), and can monitor and leak our usage on the page such a mouse movements and interactions on the page. This problem is compounded by the increased use of the web browser as a platform for delivering software. While the community ignores the issue, solutions are being developed commercially and patented — we run the risk of ending up unable to have privacy because the solutions are patented. The proposed W3C PUA CG proposes to address the problem with technical solutions at the web browser, such as restricting the back channels available to Javascript, and also by proposing HTML extensions to mitigate lost functionality. Note, this work cannot address the privacy of information that we overtly share, and there are other current W3C initiatives working on this, such as DNT."

cancel ×

76 comments

Sorry! There are no comments related to the filter you selected.

want to be private (4, Insightful)

ozduo (2043408) | about 2 years ago | (#41424825)

don't visit the internet

Re:want to be private (-1)

Anonymous Coward | about 2 years ago | (#41425439)

don't visit the internet

and don't have sex with niggers

Re:want to be private (2)

hairyfeet (841228) | about 2 years ago | (#41425625)

Actually what we need is to replace JavaScript. I mean Good Lord the thing was designed in an earlier and frankly more naive age, they even named it after Java because java was supposed to be the "next new thing" and they wanted to ride the buzz. It was just never designed for security and with more and more crap bolted to it to allow webapps it just gets worse every year. heck block all ads and watch the malware drop, the design just isn't very good for today's threats.

No what we need is a new language designed from the ground up for isolation and sandboxing, where ALL code is treated as totally untrusted and locked in a little box no matter what. We have browsers bolting this functionality on but honestly its turd polishing, JavaScript just wasn't meant to be in any way secure but with more and more of our banking and shopping done online we need a newer better design. Perhaps something more virtual machine like where the regular web gets locked into a sandbox with practically no permissions, and then a limited whitelist set up by the user for banks, shopping, etc that uses a completely different VMed browser instance with zero in common.

Re:want to be private (0)

Anonymous Coward | about 2 years ago | (#41425989)

Don't confuse JS with DOM.

Re:want to be private (-1, Flamebait)

Anonymous Coward | about 2 years ago | (#41425993)

Actually what we need is to replace JavaScript. I mean Good Lord the thing was designed in an earlier and frankly more naive age, they even named it after Java because java was supposed to be the "next new thing" and they wanted to ride the buzz. It was just never designed for security and with more and more crap bolted to it to allow webapps it just gets worse every year. heck block all ads and watch the malware drop, the design just isn't very good for today's threats.

No what we need is a new language designed from the ground up for isolation and sandboxing, where ALL code is treated as totally untrusted and locked in a little box no matter what.

Like Java? Fuck you.

Re:want to be private (-1)

Anonymous Coward | about 2 years ago | (#41426647)

Clearing incorrect mod

Yet another abuse of the patent system (3, Insightful)

Taco Cowboy (5327) | about 2 years ago | (#41424855)

The patent system was set up to encourage more people to invent new stuffs - by protecting the interest of the inventor.

It was never intended for the restriction of the rights of others to protect themselves.

The use of patent in the solutions as outlined by TFA is another clear cut example of the abuse of the patent system.

I do not know how much more the world must suffer before the power that be wakes up to the fact that the patent system is hopelessly broken.

Overhaul the patent system now !

An even better idea. (1)

fox171171 (1425329) | about 2 years ago | (#41424907)

Do away with the patent system.
Get rid of copyright while you're at it.

Re:An even better idea. (3, Interesting)

causality (777677) | about 2 years ago | (#41425035)

Do away with the patent system. Get rid of copyright while you're at it.

A non-renewable copyright of five to ten years, which is valid only if owned by a natural (living, breathing, non-corporate) person, and becomes fully public domain at expiration... that might not be such a bad thing.

Re:An even better idea. (4, Interesting)

james_gnz (663440) | about 2 years ago | (#41425151)

The costs of patent litigation exceed their investment value in all industries except chemistry and pharmaceuticals.
Bessen, James & Meurer, Michael J. (2008) Patent Failure. Princeton University Press.
So it would make sense to abolish patents in all other areas.

The economically optimal copyright length, assuming a single flat term, is slightly less than 15 years
Pollock, Rufus (2009) Forever Minus a Day? Calculating Optimal Copyright Term.
I think it might be better to have a shorter copyright term followed by a further copyleft term though.

Re:An even better idea. (1)

causality (777677) | about 2 years ago | (#41425451)

I think it might be better to have a shorter copyright term followed by a further copyleft term though.

That's a damned good idea. Can't say I have much more to add.

Re:An even better idea. (1)

KiloByte (825081) | about 2 years ago | (#41427081)

Considering the effect of patents on drug availability, pushing worse drugs just because the old one's patent expired, and so on, I'd say: let's abolish patents ESPECIALLY on pharmaceuticals.

New and improved drugs (1)

tepples (727027) | about 2 years ago | (#41428037)

pushing worse drugs just because the old one's patent expired

In these cases, is the new drug really worse most of the time? If I recall correctly, the patent on fexofenadine (Allegra) came into being as its precursor terfenadine (Seldane), but it turned out that fexofenadine was so much safer than terfenadine that fexofenadine eventually wound up going over the counter. At worst, from what I've seen, the new drug is neither better nor worse, such as loratadine (Claritin) to its active metabolite desloratadine (Clarinex) or racemic omeprazole (Prilosec) to esomeprazole (Nexium).

Re:An even better idea. (1)

Darkness404 (1287218) | about 2 years ago | (#41425437)

Copyright is a stupid idea. It tries to create scarcity out of non-scarce things. Attempting to apply property law to things that are not scarce will always create more problems than it solves.

There should be laws against fraud. For example, you can't claim that you wrote a book that someone else wrote, but the book itself should be able to be read, published, and redistributed by anyone.

Re:An even better idea. (4, Insightful)

flimflammer (956759) | about 2 years ago | (#41426011)

Who the hell cares who wrote the book at that point? Some people seriously don't think about the consequences of a no copyright no patent environment. If there was absolutely no copyright or patents, the moment someone low in the food chain comes up with something, he can't do anything with it without risking losing it forever. What the hell incentive does he have to anything with it? What the hell reason does anyone have to invest in R&D when someone can just jump in and take the final result and run with it? Do you think we as a people will seriously go "Well they came up with it first, so I'm going to buy their product" when the competitor is offering the same thing at a drastically lower price since they don't have the price of the past R&D to consider?

Yes, patents are abused and the system is currently absurd. Yes, copyright is abused and the system is currently absurd. (90+ year terms? Come on now.) But removing the systems completely instead of making them better makes no goddamn sense.

Re:An even better idea. (0)

Anonymous Coward | about 2 years ago | (#41427367)

Copyright and Patent Law are 2 different thing completely! Patent law is a problem, copyright is necessary and deals with different issues than patents.

Copyright protects everyone, patent law is only as useful as your pockets are deep!

Re:An even better idea. (1)

flimflammer (956759) | about 2 years ago | (#41428729)

I know that, but there's no good reason to have 90+ year copyright terms.

Re:An even better idea. (1)

TuringTest (533084) | about 2 years ago | (#41430947)

If there was absolutely no copyright or patents, the moment someone low in the food chain comes up with something, he can't do anything with it without risking losing it forever. What the hell incentive does he have to anything with it?

Exactly the same incentives that people had to create in the thousands of years before copyright and patents existed? "Intellectual property" doesn't protect the author of creative works, who may very well create it and keep it secret or limited to a small audience. The advances in arts and skills were kept to the small circle of one's guild so that it wouldn't be copied by competition, and industrial espionage was what advanced industries as a whole.

The argument that stopping IP will stop creativity because it won't protect the author is fallacious. Authors have many ways to benefit from their work other than selling copies, even when technology allows copies to be made for free. The only purpose of IP laws should be to benefit society at large so that new content is shared by default, instead of hidden under secrecy and benefit only the authors. The current IP rules that avoid the possibility of freely sharing content once it has been made available to the public, that is what makes no goddamn sense.

Re:An even better idea. (0)

Anonymous Coward | about 2 years ago | (#41432305)

Some people seriously don't think about the consequences of a no copyright no patent environment.

Only partially true. People like you have a fairly simplistic view also.

Generally speaking copyright and patents are just tools, the powerful have more them and the balance of power does not change whether or not those tools exist.

e.g. Almost all authors make only pocket change from their work. A tiny fraction are pushed by the publishers and make more money because of the quantity of copies distributed but it's still only cents in the dollar. The serious money goes to the middle men, the people who do the actual copying.

That's not surprising. Think about what copyright is. It is a copy right, not a creating right. It rewards people who copy and distributer is just another name for copier.

This is craze when you realize that copyright and patents means that literally billions (1000,000,000) of peoples are blocked from free speech and value so that one (1) person can have increased value. Huge amounts of value are flushed down the drain.

Copyright is a just a creation of the mind and there are an infinite number of possible alternatives. We need to think more about what those alternatives are and stop throwing away value. No easy answers.

Re:An even better idea. (2)

Genda (560240) | about 2 years ago | (#41426025)

And the author whose fine work you're enjoying is remunerated how?

Re:An even better idea. (1, Insightful)

Decker-Mage (782424) | about 2 years ago | (#41426659)

Actually it's being demonstrated all the time with authors having freely downloadable books online yet people pay for them anyway to support their favorite authors. Toss in KickStarter and the like, music groups similarly getting paid for limited performances, etc. It's been shown time and again that the gatekeepers are exactly that, people supposedly with the knowledge to select the annointed and we pay for the privilege of supporting them in that role. Well, it isn't the middle ages nor the industrial age. It's the information age and I demonstrate, as do many others, that I'm willing to pay to support my entertainers.

Re:An even better idea. (1)

Genda (560240) | about 2 years ago | (#41445457)

Don't get me wrong, I applaud both your logic and your integrity... the only fly in the ointment is the cheesy lot that think something for nothing is a gawd given right. You can only have beautiful things by investing in them. It is a wise man who knows upon which side his bread is buttered. You speak of scarcity, if nothing else in this culture is scarce, it would be wisdom.

Re:Yet another abuse of the patent system (1)

causality (777677) | about 2 years ago | (#41425009)

I do not know how much more the world must suffer before the power that be wakes up to the fact that the patent system is hopelessly broken.

They are quite awake to it. Being awake and aware of the situation, they (the monied interests who make the important decisions) realized long ago that the current broken-ness serves their interests.

It is only the little guys, the nobodies like you and I, who might want to protect ourselves using techniques that never should have been patentable. Everyone else either collects a check or purchases a license for a trivial, infinitessimal portion of their net worth.

Re:Yet another abuse of the patent system (2)

manu0601 (2221348) | about 2 years ago | (#41425203)

I do not know how much more the world must suffer before the power that be wakes up to the fact that the patent system is hopelessly broken.

In most countries, the political parties able to govern serves the interests of the wealthiers. Patents as a tool to defend against challenger is good for the them. Nothing can change without more power to the people, which is really not an easy problem to solve. The Referendum d'Initiative Populaire is a solution, but there are not many countries where this exists

Re:Yet another abuse of the patent system (0)

Anonymous Coward | about 2 years ago | (#41425395)

If someone patented it they need to recoup the costs of R&D and patent costs, so it is only fair they tax everyone who wants to develop, use, sell and market such solutions. This way we can help finance our own oppression, and frankly, historically there have been no other way to oppress people.

Keyword: beneath

What Drives This? (1)

causality (777677) | about 2 years ago | (#41424991)

Note, this work cannot address the privacy of information that we overtly share

Why do so many people feel an irresistable urge to disclaim claims that were never made?

It's a form of dumbing things down.

Re:What Drives This? (1)

FredAndrews (2736433) | about 2 years ago | (#41425433)

The word 'privacy' is quite loaded and is used in a lot of other contexts. The PUA CG is proposed to have a narrow scope so it can efficiently address the privacy of the web browser state. The W3C already has other forums to develop other areas of privacy and they are welcome to it.

Re:What Drives This? (1)

causality (777677) | about 2 years ago | (#41425469)

The word 'privacy' is quite loaded and is used in a lot of other contexts. The PUA CG is proposed to have a narrow scope so it can efficiently address the privacy of the web browser state. The W3C already has other forums to develop other areas of privacy and they are welcome to it.

The second and third sentences go together. The first has nothing to do with them.

Anyone who reads that summary and comprehended what they read would know that no claim to solve ALL privary issues of every sort was made. Only a particular subset of a particular nature is being claimed.

If they did not comprehend what they read, the actual writing needs to cater to those who did. Only under these circumstances does the person who did not understand change into the person who does. Dumbing everything down means they can comfortably avoid learning anything new. They can do that without even the tiniest inconvenience of skipping this particular story. That's too much.

interactive use of javascript (0)

Anonymous Coward | about 2 years ago | (#41425001)

it and php can require the very things it needs to bring you an good game, jsut as the evil corporate use tracks the website urls...., there should be a separation somehow.....

Re:interactive use of javascript (1)

causality (777677) | about 2 years ago | (#41425089)

it and php can require the very things it needs to bring you an good game, jsut as the evil corporate use tracks the website urls...., there should be a separation somehow.....

The root of the problem is externally-directed people who will buy something because they're told in kiss-your-ass language that it would be a great idea. There is no short-term solution to that, now that it's become so common and well-established. So, this is only a partial solution, but Adblock Plus (with Privacy lists) + NoScript + Redirect Remover + a good /etc/hosts file, maybe also RequestPolicy works quite well. Once you get these things set up, you can more or less forget about them.

It's also nice to use StartPage.com instead of directly using Google.com.

Re:interactive use of javascript (1)

FredAndrews (2736433) | about 2 years ago | (#41425923)

Limiting the back channels available to Javascript should not limit the ability to write interactive games. Networked games may need to be white-listed, but if just sharing a high score etc then an intentional form submission could suffice.

Bravo! (0)

Anonymous Coward | about 2 years ago | (#41425021)

Now let's solve all the little niggles.

Translation... (3)

EdIII (1114411) | about 2 years ago | (#41425091)

The proposed W3C PUA CG proposes to address the problem with technical solutions at the web browser, such as restricting the back channels available to Javascript, and also by proposing HTML extensions to mitigate lost functionality.

In other words, we are going to break functionality used in just about every website out there, especially SAAS platforms that depend on it for delivering software.

That's okay though, because we are going to replace that functionality with HTML extension. You have tens of thousands of dollars to pump back into software development right?

Sheesh. I get where they are coming from, but man does it suck for people actually trying to develop and deliver complex platforms with web browsers as front ends.

Re:Translation... (1)

Anonymous Coward | about 2 years ago | (#41425153)

In other words, we are going to break functionality used in just about every website out there, especially SAAS platforms that depend on it for delivering software.

Those Software as a "Service" platforms can write their own damn clients. Or (heaven forbid) deliver a local executable and quit relying on subscription models and holding their customers' data hostage.

Re:Translation... (3, Interesting)

EdIII (1114411) | about 2 years ago | (#41425535)

Ohhh, yeah, sure. It's just that simple. Write a client.

There is a *reason* why a web browser is used:

- Cross platform. Linux, Mac, Windows, embedded whatever.
- No development costs directly associated with the client.
- Upgrades are instantaneous. CTRL-F5 effectively reloads all the software for a site.
- For some use cases it means a significantly cheaper interface to business platforms. No expensive licenses client side, or maintenance costs for a fat client.
- For some use cases, it does not mean SAAS. It could be an internal, proprietary, business platform delivered through a web interface only.
- For some use cases, it could mean greatly enhanced security as you have an internal website that services all interactions with customer data. No direct access to back end data is even possible.

Subscription models make perfect sense in some cases. You're rather simplistic rant about those fees completely ignores the fact that for businesses it often makes financial sense. In order to run your own platform you need to:

- Absorb 100% of the costs of development.
- Absorb 100% of the costs of maintenance, which includes keeping software engineers on staff who designed it.
- Absorb 100% of the costs of operating the platform. Includes servers, bandwidth, software licenses, etc.

I'm sure there are other costs and caveats I am not mentioning too.

I've looked into some very expensive SAAS platforms (30k per month subscription fee). I can tell you it actually made sense. To develop that platform would have taken me a team of developers and minimum 18 months to deliver. I have no doubt that I could have pulled it off, but in the end it would have cost more than the fees and required almost the subscription fee per month just to keep some of the developers on staff to maintain it, and continue to develop features we may need in the future.

Holding customer's data hostage? That only happens if you're an idiot . Have a very well spelled out legal contract, and make nightly incremental backups of your data. Some of the SAAS providers I have worked with set up an rsync of our data to our own servers. We back that up incrementally as well.

So where is the data being held hostage? It's not. What you are held hostage to is the platform. That is going to be true whether the platform exists some place else, or is a local executable on a local server in your company. That you are not always going to be able to get around very quickly. Switching business platforms is not something one just does for the heck of it.

Things shift around of course, but right now local clients that connect to business platforms are going the way of the dinosaur. Honestly, why even do it at all? Does not a standardized client that runs across multiple platforms not make sense to you at all? It happens to be a web browser right now, and in a more limited fashion Java, but it makes perfect sense to have one. Perhaps that is why SAAS has been taking off so fast. You know... the benefits to the end users.

Re:Translation... (0)

Anonymous Coward | about 2 years ago | (#41425899)

What we have here are two quite different sets of requirements: a lightweight, secure web browser for consumers, and a heavy, platform-independent, server-trusting interface for SAAS applications, for use in internal corporate networks where everything is trustable. What we've done, unfortunately, is to allow the latter set of requirements to hijack existing web browsers, making them bloated and insecure.

What we need to do is to cut down the functionality of existing web browsers to what average people actually need and can be made secure. SAAS folks can then, as the GP suggested, write their own damn (extensible, multi-purpose, cross-platform) clients; and don't call them web browsers.

Student, hobbyist, or micro-ISV developers (1)

tepples (727027) | about 2 years ago | (#41428639)

SAAS folks can then, as the GP suggested, write their own damn (extensible, multi-purpose, cross-platform) clients; and don't call them web browsers.

Under your plan, every student, hobbyist, or micro-ISV who wants to write what used to be called a web application has to pay an extra hundreds of dollars per year to get the client for the former web application into the iOS App Store, Windows Store, and Amazon Appstore, and the application becomes entirely unavailable to users of a platform with a web browser but no program for student, hobbyist, or micro-ISV developers, such as Wii, 3DS, PS3, and PS Vita.

Re:Translation... (0)

Anonymous Coward | about 2 years ago | (#41426983)

- Cross platform. Linux, Mac, Windows, embedded whatever.
- No development costs directly associated with the client.

All those complaints about IE version X and many incompatibilities between browsers show that these points where never true. Both websites and native clients need to deal with these incompatibilities in some way and even using cross platform libraries to hide these differences wont remove the cost of actually testing your software (webpage and client) on all supported target platforms.

Expense of becoming a licensed developer (1)

tepples (727027) | about 2 years ago | (#41428659)

Using cross-platform libraries does, however, hide the expense of becoming and remaining a licensed iOS developer, a licensed Windows Phone 7 developer, and especially a licensed developer for Wii, 3DS, PS3, and PS Vita, all of which have a web browser but no official support for "Unknown sources".

Re:Translation... (1)

EdIII (1114411) | about 2 years ago | (#41429621)

Uhhh, the cost of testing your software in 5 different browsers is quite a bit less than the cost of developing a Linux, Mac, and PC client. That's if you want just them. Add the cost for an Android app, Apple app, Blackberry app, and Windows Phone app if you want to support mobile.

Those costs that you mention are peanuts compared to that.

Re:Translation... (0)

Anonymous Coward | about 2 years ago | (#41425307)

Presumably, it would be the web browsers' *user* who enables/configures the privacy enhancing features. Given that it is that user's platform, that user's security, and that user's privacy which are at risk, browsers and app platforms *should* provide robust mechanisms for controlling what websites and apps can do. If that breaks those websites and/or apps, so be it.

Re:Translation... (1)

EdIII (1114411) | about 2 years ago | (#41425477)

From the summary, which is essentially the article too by the way, it seems they were going to restrict or eliminate the javascript abilities to interact with the server.

They mention HTML extensions, but give no real information on them, or why they will be inherently more secure and leak proof.

I'm all for users having robust mechanisms for control. That's not the same as breaking existing functionality though.

Re:Translation... (1)

FredAndrews (2736433) | about 2 years ago | (#41425751)

The proposed group is open to a range of technical solutions. Limiting the back channels open to Javascript is one approach and this could be very effective for many web activities and still support interactive pages driven by Javascript such as games and children's leaning tools. Another approach is limiting the access that Javascript has to the UA state or spoofing the state. A combination of both approaches may also be explored. Javascript is not the only issue, there are other leaks that also need to be addressed. Unfortunately it does not appear possible to solve the problems without breaking something, but I do not accept that this is a good reason not to fix the problems. The damage just gets worse as new standards are developed ignoring the issue and building upon functionality that is not salvageable. User Agents already allow Javscript to be completely disabling and a good range of website are still quite functional, and I am confident we can do a lot better the this.

Re:Translation... (0)

Anonymous Coward | about 2 years ago | (#41426967)

People shouldn't deliver complex platforms within a web browser. This is what native compiled to ASM code is for.

Re:Translation... (1)

EdIII (1114411) | about 2 years ago | (#41429671)

Oh come on.

Instead of taking advantage of ubiquitous web browsers that allow cheap development you want us to absorb the costs of developing:

- A Windows client
- A Linux client
- A Mac client
- An Android client
- A Blackberry client
- An iPhone client
- A Windows phone client

Why? Just so we can lord it over others that we can write native compiled to ASM code and support that many different clients....

Ohhh, and then try to compete in the market passing off those costs of development and support of that many different code bases to the customers

Re:Translation... (0)

Anonymous Coward | about 2 years ago | (#41427721)

Don't panic. Someone proposed this group. It will be created when it gets enough support. People with a W3C account can join this group. You can create an account, join the group, and make sure your worries are voiced. I'm sure others with the same concerns will do that if you don't.

Re:Translation... (1)

BenoitRen (998927) | about 2 years ago | (#41428751)

If it breaks functionality then the website was badly coded. No website should require JavaScript. It should degrade gracefully.

Re:Translation... (1)

EdIII (1114411) | about 2 years ago | (#41429737)

Seriously?

You're trying to tell me you can develop a SAAS platform without Javascript? Don't tell me something ridiculous like use Flash instead either, or write one big massive Java applet.

It's impossible. You can't have a HTML only website do anything remotely like a Javascript website. Sure, you might be able to cause the page to continuously reload to have a real time updated chart for call volume on a call center, but it will look clunky and crappy doing it.

That's what it really comes down to. We can try and go back to reloading the whole page after each and every action. That's why Javascript was created. To intelligently modify the DOM client side instead of having the server keep track of the whole page and send modifications every time a user action was sent back.

I'm not talking about a public facing web page, or a landing page. I'm talking about authenticated access to secure pages running a SAAS business platform.

Re:Translation... (1)

BenoitRen (998927) | about 2 years ago | (#41431939)

Not all web applications need real-time updates. If one does and JavaScript is disabled, it should still be possible to reload the page to get recent data. That's graceful degradation. JavaScript is meant to be a convenience, not the sole way to do something.

I have actually developed a web application for a company and I made sure that everything still worked without JavaScript. It works very well.

Just undo the browser mistakes (5, Insightful)

Skapare (16644) | about 2 years ago | (#41425159)

Browsers had a lot of bad things done in them over the years. These should just be removed. Start with the Referer (regardless of spelling) field. If the domain is different, don't transmit it. Of course this only scratches the surface. When the user visits another domain, launch a whole new browser in a separate process. Also, do not expose data to a page's client side code about things like navigation to other pages when they are done in different tabs or windows. And when returning the view back to a previously viewed page, just view the previous contents ... do NOT reload the page. The only time a page should be reloaded is when the user navigates to it via a link, or presses reload, or the client code for that page requests reloading only itself or a page in the same directory.

Yeah, they can break a lot of functionality that dumb web developers came to depend on. But these are things that never should have been there to begin with.

Re:Just undo the browser mistakes (0)

Anonymous Coward | about 2 years ago | (#41425595)

> And when returning the view back to a previously viewed page, just view the previous contents ... do NOT reload the page.

This bugs me a lot, Opera is the only browser I know of that doesn't reload on back button. Even things like view source in chrome/firefox requires a reload.

Expired document (1)

tepples (727027) | about 2 years ago | (#41428773)

Aren't web browsers supposed to reload on back button if the previous document has expired from cache?

Re:Just undo the browser mistakes (0)

Anonymous Coward | about 2 years ago | (#41425729)

Let me add one more to that: the concept of a user-agent string should never have existed in the first place.

Fundamentally, web browsers shouldn't be written by web developers. They should be written by people acting in the interests of people using the browser, and regard web developers as subtle and malicious enemies.

How to express these without User-agent: header? (1)

tepples (727027) | about 2 years ago | (#41429025)

the concept of a user-agent string should never have existed in the first place.

Instead of the User-agent: HTTP header, what way would you have recommended to communicate these to the server?

  • Whether the user agent supports recent mark-up features. IE usually doesn't, and downlevel browsers tend not to. These could be detected with JavaScript-based object detection, but that'd incur another round-trip delay.
  • Whether the user agent makes title attributes of elements available to the user. Mobile browsers tend not to, which hurts xkcd and other webcomics that put the stinger in the title.
  • What level of detail the anonymous user is likely to prefer. For the smaller screens of mobile you usually want a summary, with details accessed through links, because the viewport is smaller and it costs the user more to receive each bit.

Outside Interest (1)

Anonymous Coward | about 2 years ago | (#41425183)

W3C has a lot of members and receives a lot of funding by people who don't want the users to have too much control over their privacy.

...because the solutions are patented." (3, Insightful)

Penurious Penguin (2687307) | about 2 years ago | (#41425259)

First, http://www.techdirt.com/articles/20120920/23570020453/when-even-hilarious-web-comic-artists-are-mocking-insanity-patent-system.shtml [techdirt.com]

Admitting my primitive understanding of this subject, I have some questions; Is sandboxing undervalued? is sending all cache to unique directories that can only be read by the source they were created for practical? Would generating random or shared generic user-agent data for each domain for each encounter have any effect? I have taken simple privacy measures like chmod 400 ~/.macromedia and ~/.adobe; installing noscript, flashblock; bloating /etc/hosts with loopback redirects, thrashed around in about:config, piously used bleachbit, etc.-- but I guess there are still kissmetrics and other mysterious things to deal with.

I remember trying the EFF's panopticlick [eff.org] , which tests your browser for its unique fingerprint. I was a little surprised at the results. What does something like the time-stamp mean for anonymity? How many people in the world have identical installation times and zip-codes, etc.? Why does this and other data need to be there as it is?

I get confused when contemplating why such promiscuous features are included in browsers in the first place. Are we simply using stupid browsers? Would creating a secure browser break its functionality? I know noscript can be a pain in the ass. What really confuses me is why a browser would store persistent cookies and other data -- after being deleted -- unless it was built to do so. If so, then why? If not, then why? When I start a browser from a fresh install or USB, it works just fine. If I reboot and do it again, it continues to work fine. Why the persistent data?

Finally, it should be alarming in itself that so much knowledge is required now to have even a measure of privacy. Those who understand, often take their knowledge for granted. But even for someone practically living and working in the web, it is not an overly simple subject. Is privacy an esoteric delusion, or is it an esoteric reality?

Re:...because the solutions are patented." (1)

Anonymous Coward | about 2 years ago | (#41425441)

I am afraid privacy has always been a delusion. First however one must realize that while privacy is an interesting notion as long as humanity has been a structure of highly ordered and inter-networked collabaratives privacy has been a farce. From the town gossip of yore to the dealings of the FBI on the phone today, society has always had a penchant for encroaching on the privacy of others. With modern technology and data harvesting we can expect more erosions of in the future. We do live in scary times, but despite this in order for our privacy to be invaded someone must care or wish to know.

Just because we are online doesn't mean that we aren't watched or even judged by our actions, however anytime you or I or anyone is in public we are watched and seen by a mulitudes of other people. We are judged by how we act. Stores track what we buy. Friends and strangers might comment on our current family status, marital status, relationship status, consumption status. The world is a nosey place. I've come to realize that our machines are much like us. Why wouldn't the be? You can take away the machines but the fact remains. Humans are nosey, and the only true way for privacy online is not be on it.

Re:...because the solutions are patented." (2)

FredAndrews (2736433) | about 2 years ago | (#41425875)

I don't accept that privacy is an all or nothing matter. Why not try and close some obvious invasions of privacy.

If I can't track your interactions with the site.. (1)

wzinc (612701) | about 2 years ago | (#41425681)

how do I tell which button you clicked?

Re:If I can't track your interactions with the sit (0)

Anonymous Coward | about 2 years ago | (#41425821)

You don't. You send me the entire page, and let me (or my browser) figure out which button I've clicked and what to display. If I want to look at another page, I click on a "link", which doesn't require javascript.

Cap (1)

tepples (727027) | about 2 years ago | (#41429785)

You send me the entire page

Even the pages that the user doesn't appear to want to view? That'll eat into the user's 5 GB/mo cap quickly.

Re:If I can't track your interactions with the sit (1)

FredAndrews (2736433) | about 2 years ago | (#41425851)

Through a navigation request or form submission request, or you can send me Javascript to handle the button click on the UA and it will be run in a context that has no access to back channels, or it may be that the button press is intentional enough that it could be passed to a Javascript context that has no access to the AU state but can proxy the event back to your server and then forward an update from your server back to the private UA context. Keep in mind that this is a proposed group to work on the issues, not a detailed proposal to solve all the problems.

There is no need to specify the browser. (3, Insightful)

jd (1658) | about 2 years ago | (#41426197)

The browser string helps to identify if the browser can perform certain functions. So send a string that specifies "server-visible capabilities" (ie: what the user wants the server to know about the capabilities of the browser) instead. Then no browser, OS or other potential privacy loopholes exist.

But what if you don't want the server to know anything? That's the point about sending a capabilities string. If you don't want to specify, there's no need to. Having said that, setting a bit that indicates "HTML 4.01-compliant" is not revealing anything terribly informative to anyone, since that's going to be true of 99% of user agents at this point. Which means you're not part of the 1%, but that's about it.

HTML 5 is the only awkweird one, as you'd have to have a bit for some generally-agreed group of functions, since there's no fixed standard. (IIRC, that's going to switch to having a "rolling development branch" and fixed "stable snapshots", but for now there's no stable spec you can identify with a simple flag.)

True, some browsers implement subsets (and/or extensions to) approved standards, but frankly the headache for developers is to support those kinds of freaks. A fixed list of supported standards you can switch between is really what you want. Special cases for every browser make for something that is unmaintainable, as anyone who has developed a web app can tell you. Freak cases really should be reduced to "nearest available standard" where at all possible.

This satisfies all the requirements of the server, for behaving correctly on multiple browsers, without giving anything away that could be misused.

Furthermore, since I'm saying the capabilities string is a bunch of flags, you can specify masks per site or site grouping if you want to conceal some information from some servers. (This makes user tracking via the agent impossible, since the agent can now vary and there's fine-grained control over how it varies.) Not a million miles from how security is handled in every other case.

Re:There is no need to specify the browser. (0)

Anonymous Coward | about 2 years ago | (#41426733)

> The browser string helps to identify if the browser can perform certain functions
This article isn't about the User-Agent header, it's about the user agent (more commonly referred to as a "browser") itself.

Re:There is no need to specify the browser. (0)

Anonymous Coward | about 2 years ago | (#41427021)

You are misguided. Websites shouldn't discriminate between User-Agent strings at all. Browser detection is bad. Websites should use only web standards or experimental features proposed for a standard (most of HTML5). The capabilities of a client should never be determined by some HTTP header field, they should be determined by media queries or the availability of the corresponding DOM object or function. Or as a last resort, by an error-handling routine.

The extra round trip adds latency (1)

tepples (727027) | about 2 years ago | (#41429839)

Browser detection is bad. Websites should use only web standards or experimental features proposed for a standard (most of HTML5).

So other than through browser detection, how is a web site supposed to know which "web standards" and which "experimental features proposed for a standard" a particular user agent supports?

The capabilities of a client should never be determined by some HTTP header field, they should be determined by media queries

Sending the stylesheets for a couple dozen combinations of media queries just to have the user agent select one of them and discard all the rest costs bandwidth. So does sending mark-up that will be hidden with display: none in a particular media query's stylesheet. Besides, the preferred viewport width in WebKit still isn't capable of being controlled by CSS media queries, as the only browser capable of setting it through CSS rather than through <meta name="viewport"> in the HTML is Opera [opera.com] .

or the availability of the corresponding DOM object or function

The extra round trip adds latency.

Fuck JavaScript (0)

Anonymous Coward | about 2 years ago | (#41426741)

http://noscript.net/ [noscript.net]

Re:Fuck JavaScript (1)

FredAndrews (2736433) | about 2 years ago | (#41427107)

Noscript has many useful features, and some of it's features are being integrated into standards, such as ClearClick which is proposed for CSP - although in CSP it is proposed that any violations are silently reported to the server rather than the user. I think we can do better than just disabling JS to prevent covert sharing of UA state. Further there are other source of leaks, such as CSS.

Privacy hysteria (1)

dshk (838175) | about 2 years ago | (#41426843)

This new fixation on privacy becomes absurd. I hope that the commenters are not a representative subset of the population, even here on Slashdot. Do you recognize that complete privacy on the Internet means complete anarchy?

Do you recognize how small privacy you have when you step out of your home? You become uniquely identifiable immediately.

In a small town everybody will know me by my face. Oh my god, how can we live in such a rude word? I should put a sack on my head. But no, my shoes identify me too. Not to mention my fingerpring and DNS. I had to use a hermetic space suit if I go out. Yes, everybody should wear a space suit with black windows. But that may be too expensive for the entire population. Thanks God, there is a good solution, some of our muslim friends already use the burka. Well only for womens, but we can enhance the idea. Let's everyone wear burka. And only visit web sites which are made in the 1990, no login, no custom content, no Javascript, no user generated content, only HTML 3.0.

Re:Privacy hysteria (0)

Anonymous Coward | about 2 years ago | (#41427011)

They are just isolationist nutjobs trying to ruin the world for everyone else.

I personally think we should give them what they want and lock them in solitary confinement. They already live in a delusional little world, so putting them in the padded cell won't be any different.

I wish they would go away.
It isn't even a case of BIG BAD GUBMINT SPAHING ON ME, it is just they are idiots who have a thirst of self-harm and punishment because if life isn't a pain every single day, if things don't take a trillion clicks or a quadrillion lines just to perform one action, it is worthless.
Sadly this is also becoming the Linux Mentality. Apparently you can't be user friendly and have access to everything. Who put these morons in charge?

Re:Privacy hysteria (1)

FredAndrews (2736433) | about 2 years ago | (#41427149)

Personal computers have traditionally been a private space and the Internet has not been 'complete anarchy' so you are simply wrong. Simply because the web browser is becoming a platform for delivering applications should in no way make the personal computer open to the covert sharing of its state. I understand that 'privacy' is a loaded word and perhaps you have misunderstood the intention of this group - 'complete privacy on the Internet' is certainly way out of its scope as is discussion about privacy in public places. I believe it is possible to do a lot better than simply disabling Javascript and this is a challenge for the group. Please understand that I expect a web application run on my personal computer to have the same level of privacy as a local application which I do not believe is unreasonable, and if the HTML standards can not and will not address this issue then I believe they have lots their legitimacy.

Re:Privacy hysteria (1)

dshk (838175) | about 2 years ago | (#41429995)

I work for a site with about 1 million monthly visitors. I know from experience that 1-3% of the visitors are notorious troublemakers and they do ruin the online life of the other 99% if they are not controlled. This is a continuous fight, they put huge efforts into evading our rules and we also spend huge effort into stopping them. For example we know about a user who spent about 2 months working on a software tool. I am not talking about hacking, that is another front. And this is a mostly free service, no money involved, and not attractive to spammers. Yes, the internet (specifically the part of it which has user user generated content) is not a complete anarchy now, exactly because there are some (rather unreliable and poor) way to track visitors.

You can have the same level privacy as you had with a local application and that is almost reasonable ... but internet applications are more and more frequently social applications, where the consequences of your actions are not local.

Moreover, internet applications work on a different scale, with many users and small income/users, so they must be much more efficient than traditional (paid) local applicatons. If we want even more services for free, then we must allow those "awful" providers to become even more efficient, for example to track whether we scroll down to the bottom of a page or not. Why is that so horrible?

Re:Privacy hysteria (1)

BenoitRen (998927) | about 2 years ago | (#41428835)

Hyperbole much? In real life there aren't tons of ad agencies tracking your every movement. Your comparison is ridiculous.

Re:Privacy hysteria (1)

dshk (838175) | about 2 years ago | (#41429543)

I like that I get targeted advertisement instead of random advertisement recently. (There is still place to enhance them though, I frequently get ads about products I already bought or services I already use). Targeted ads are better for all participants, internet industry and visitors too. The only participant which does not like advancements in advertising is Microsoft - for obvious reasons. Have you ever hurt by a targeted ad?

market interference from unwanted regulation (0)

Anonymous Coward | about 2 years ago | (#41430475)

As a marketer. I propose an more acceptable solution. I suggest all those who do not want javascript to do the backchannel peeking enable a browser setting 'Do Not Peek' which will mirror the incredibly successful 'Do Not Track' option. This is self-regulation at its best, allowing the consumer to consume and the Free Market to proceed in perfect harmony. Remember folks, you do not want the terrorist to win. So as Obushma said' Keep shopping - your country needs you'.

Fdhxh hx (1)

nischal360 (2713011) | about 2 years ago | (#41434107)

Ccjffjjfufhtctc
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>