Should the IETF ship or skip HTTP 2.0?
Should the IETF ship or skip HTTP 2.0?
Posted Jun 3, 2014 9:58 UTC (Tue) by nim-nim (subscriber, #34454)In reply to: Should the IETF ship or skip HTTP 2.0? by gren
Parent article: Should the IETF ship or skip HTTP 2.0?
As noted by phk http/2 is a rather unbalanced protocol that shows its Google roots, and in the name of expediency the IETF refused to fix a lot of its problems:
1. it gained approval by some privacy groups by enshrining TLS, but without real analysis of http privacy emplications. As a result it only secures Google/facebook… data mining
2. it is a "no new features" protocol except that it includes server push (which changes completely http security)
3. on the other hand the IETF refused to open the cookie issue despite it being trivial to solve (don't save anything client side, provide a session id). The ietf argued a cookie-less protocol would see no adoption despite contrary evidence (the same people claimed UE's requirement to tell users about cookies could not be implemented)
Posted Jun 3, 2014 10:07 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link] (9 responses)
Posted Jun 3, 2014 18:00 UTC (Tue)
by nim-nim (subscriber, #34454)
[Link] (8 responses)
What changed in the past years is not the ability to spy on people but that's it's so cheap you can even set it up just in case you need it later. Making it a little harder would go a long way to limit opportunistic abuses
Posted Jun 3, 2014 18:04 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link] (7 responses)
Next, currently cookies are easily scoped - by their domain. How do you propose to scope session IDs?
Posted Jun 4, 2014 6:59 UTC (Wed)
by nim-nim (subscriber, #34454)
[Link] (3 responses)
That would be sufficient to limit abuses.
Posted Jun 4, 2014 20:58 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
And of course, I personally _want_ lots of my sessions to last more than 1 day or week.
And lastly, nobody stops you from deleting cookies every day or restricting them in any way.
Posted Jun 5, 2014 11:54 UTC (Thu)
by mathstuf (subscriber, #69389)
[Link] (1 responses)
No, because if one gets intercepted, that cookie is good for years.
> For example, if I place an image from http://google.com/someanalytics on my page and you have a session ID for google.com domain then you'd still be tracked.
Use RequestPolicy and don't let J. Random Website force your browser to communicate with any other site. Saves bandwidth too.
Posted Jun 5, 2014 14:25 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
> Use RequestPolicy and don't let J. Random Website force your browser to communicate with any other site. Saves bandwidth too.
Posted Jun 6, 2014 21:15 UTC (Fri)
by job (guest, #670)
[Link] (2 responses)
Posted Jun 6, 2014 21:20 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
Cookie scoping is easy: http://tools.ietf.org/html/rfc6265#section-4
Posted Jun 6, 2014 22:20 UTC (Fri)
by nybble41 (subscriber, #55106)
[Link]
Posted Jun 3, 2014 17:05 UTC (Tue)
by intgr (subscriber, #39733)
[Link] (1 responses)
Doesn't sound trivial to me. Is there a more detailed proposal for this?
Posted Jun 3, 2014 18:04 UTC (Tue)
by nim-nim (subscriber, #34454)
[Link]
Should the IETF ship or skip HTTP 2.0?
Should the IETF ship or skip HTTP 2.0?
Should the IETF ship or skip HTTP 2.0?
Should the IETF ship or skip HTTP 2.0?
Should the IETF ship or skip HTTP 2.0?
Should the IETF ship or skip HTTP 2.0?
Should the IETF ship or skip HTTP 2.0?
So? If someone intercepts your session ID they'd still be able to access your data for the duration of the session.
You are free to do that with cookies.
Should the IETF ship or skip HTTP 2.0?
Should the IETF ship or skip HTTP 2.0?
Should the IETF ship or skip HTTP 2.0?
Should the IETF ship or skip HTTP 2.0?
Should the IETF ship or skip HTTP 2.0?