On 17/09/13 03:52, Brian Smith wrote: > One thing that is up for debate is what the security/privacy tradeoff > should be. In particular, the channel ID keypair itself acts like a > cryptographically strong cookie and could be used for tracking. The > Chromium team has implemented some measures to make it so that channel > ID is treated like cookies in terms of the browser's cookie management > policy. We should investigate whether we could improve the privacy > protections for this mechanism to make sure it doesn't become a > new/better way to track people.
Is it fair to say that, the way the Chrome team have implemented it, it is an _equivalent_ way to track people, and your aim is to make it a _less_good_ way? Or do you think that the current implementation is a better way, and you aim to make it equivalent? > Ideally, we would know which cookies > were associated with a login event (username/password submission, > Persona/BrowserID login, etc), and then only generate and use a > Channel ID keypair in those situations. However, this would require us > to be able to classify cookies into "authentication" and "tracking" > buckets, which is something that we probably cannot do perfectly and > automatically. Is there even such a distinction? An authentication cookie can also be used for tracking. Could we make things better by refusing point blank to do third party channel IDs? We don't have a legacy problem like we do with cookies. > Because this mechanism would require changes to both > clients and servers for it to be effective, it seems reasonable that > we could require servers that want to use Channel ID to do something > special when the user logs in, if needed. And/or, we may be able to > repurpose some of the password manager login detection logic to detect > when to start using ChannelID for a server. This logic is not enormously robust (although it's been rejigged recently, IIRC). Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
