The people at the privacy-oriented browser Brave have criticized an industry proposal that says it would make it easier for websites to identify a browser using a passive, cookie-less fingerprint technique.
This is HTTP client hints, the proposal offers a standard way for a web server to ask a browser for information about itself. It comes from the Internet Engineering Task Force (IETF). This organization works with industry members to make voluntary standards for internet protocols and has a lot of power. It standardized TCP and HTTP, two of the basic protocols of the internet.
HTTP already offers a technique called proactive negotiation, with which a server can ask a browser for itself. This technique ensures that the browser describes its capabilities every time it sends a request. That costs too much bandwidth, says the IETF.
Customer tips make things easier. It defines a new response header that servers can send whenever they want, and asks the browser for information about issues such as the width and height of the display in pixels, the amount of memory it has and the color depth.
The IETF says that Client Hints would make it easier for servers to deliver the right content for a browser. For example, you wouldn't want a huge photo if you were looking at a mobile device.
However, this does not make the Brave team uncomfortable. Client Hints considers it another tracking method that offers browsers a way to post information about users. It says:
Delegation by third parties
Brave also doesn't like another part of Client Hints: this allows a server to instruct a browser to send its information to third parties (a process that is delegated by third parties). These other websites may contain ad networks that display advertisements on a page.
The Customer Hints proposal also makes it easier for companies between your browser and the website you visit to know more about your device, Brave warns. It refers here to content distribution networks (CDN & # 39; s). These are services that cache website content around the world, so it is closer to the people who read it and improves website performance.
The IETF proposal urges developers to only give Client tips to the website they are viewing (the origin), rather than to third-party sites that may interact with it. But these security guidelines are exactly that: guidelines. The technology itself will not prevent unscrupulous sites from violating them.
Brave points out that it is the server that chooses to execute these requests and that users cannot choose:
The browser only sends the values if the server has requested them, but must specify them when the server requests them.
Opt-in mechanisms for the user are not mandatory, apparently because it is difficult to explain. The IETF proposal says:
Operators CAN provide user selection mechanisms so that users can weigh up privacy issues with bandwidth restrictions. However, implementation managers should also be aware that explaining the privacy implications of passive fingerprints can be a challenge for users.
Ultimately, browser suppliers have the right to implement the standard or not, and Brave can do whatever it wants. Even if large browsers choose to implement it, most have shown a willingness to bypass the standards if they are misused for fingerprints instead of the intended purpose.
. (tagsToTranslate) brave (t) privacy (t) security threats (t) web browsers (t) browser privacy (t) customer hints