Dnia wtorek, 3 marca 2015 11:50:07 Cathal Garvey pisze:
Hold on there. These are two different beasts. DNT is "please don't track me" and of course it won't work.
In fact, it's worse. DNT, if set either way, is another pure bit of browser entropy; it actually *assists* certain forms of tracking, because it can be expected to remain invariant between visits of a given browser/user.
Absolutely. However, I did use to give even more bits of entropy bu setting my UA String in a particular way: http://rys.io/en/56 Now I just need to start filing lawsuits, I guess. ;)
This is just one of the things making me think the "web" needs a total re-boot to redesign for security from the boots-up. Servers shouldn't require user-agents to know how to treat visitors. Scripting is useful for a rich experience but should be more sand-boxable (ideally, scripts can be sandboxed to their position in the DOM tree!) and tightly permission'd. Canvas and other elements should behave deterministically; this should be part of browser test-suites. Browsers should be allowed cache fonts but not disclose to the server whether they have a font in their cache or not.
But look, HTTP/2.0 is comming! Oh, wait: https://queue.acm.org/detail.cfm?id=2716278
DNT was another nail in the coffin. Either a browser can be tracked by design, or it can't.
+over9000 -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147