[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #5501 [TorBrowserButton]: enable Do-Not-Track DNT by default



#5501: enable Do-Not-Track DNT by default
------------------------------+---------------------------------------------
 Reporter:  cypherpunks       |          Owner:  mikeperry
     Type:  enhancement       |         Status:  new      
 Priority:  normal            |      Milestone:           
Component:  TorBrowserButton  |        Version:           
 Keywords:                    |         Parent:           
   Points:                    |   Actualpoints:           
------------------------------+---------------------------------------------

Comment(by pde):

 It's important to understand that if we're talking about legal
 consequences, we're dealing with legal reasoning rather than technical
 reasoning.  The first thing to understand about legal reasoning is that
 ''isn't'' consistent in a logical sense. It can have all sorts of fuzzy
 and contradictory aspects to it, and these tend to be resolved in a way
 that makes sense to judges (who are usually not technically
 sophisticated), if they are ever resolved at all.

 Replying to [comment:20 rransom]:

 > With IFRAME, every website can be turned into a third party.  And almost
 every non-trivial web application (including Trac) sets cookies in order
 to prevent CSRF attacks.

 (Aside: I'm a bit confused about how a cookie can prevent a CSRF attack.
 Surely CSRF tokens need to be something that an attacker can't cause the
 victim's browser to send, such as internal DOM state, or a fragment or
 query parameter. But let me answer as though cookies were necessary for
 CSRF protection)

 The W3C spec is not finished yet, but the proposals all deal with the
 above by saying something like: "a website is a third party for a given
 request if it can infer with high probability that it is a third party".
 So things that are designed or promoted for embedding are third parties;
 stuff that someone else randomly hotlinks or <iframe>s is not.

 The proposals also have exceptions for widgets and other third party
 things that the user knowingly chooses to interact with. So if someone
 builds a "distributed web bug tracker" that is embeddable in a lot of
 sites, if a user chooses to turn that on/logs in/etc, it's okay for it to
 set cookies and track that user across sites.

 And before anyone asks, the aim with sites like Facebook/Twitter/etc that
 function as both first and third parties is to make sure that
 consent/choice to interact for the third-party aspect of the site is
 preserved, even if you're logged into it as a first party. One
 consequence is that this handful of giant hybrid first/third parties
 should migrate to different domains for their first and third party stuff.
 Which most of them have already done, for exactly this sort of reason.

 > DNT laws and regulations are likely to be as destructive as SOPA, if not
 worse.  I oppose them strongly, and I hope that EFF will recognize the
 danger that DNT poses to a free and open Internet and stop supporting DNT
 legislation.

 We aren't sure whether legislation is the right way to get DNT implemented
 (there are really a lot of ways it might happen), and at the moment no DNT
 legislation is remotely close to passing.  If that ever changes, we'll
 look extremely closely at whatever bill, and work with the community, to
 make sure that it doesn't have unintended technical consequences.  And if
 we feared it might, we would not support it.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5501#comment:21>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs