SpywareWatchdog/articles/http.html

<!DOCTYPE HTML>
<html lang=”en-us”>
   <head>
    <link rel="stylesheet" href="../style.css">
    <meta charset="UTF-8">
    <title>Spyware Watchdog</title>
  </head>
  <body>
  <h1>HyperText Transmission Protocol</h1>
  <img src="../images/w3c_logo.png" alt="World Wide Web Consortum: The maintainers of the HTTP standard">
  <p><a href="../articles/index.html">Back to catalog</a></p>
  <p>
HTTP is a protocol usually used for transferring HyperText Markup Language documents accross the internet.
  </p>
  <h2>Spyware Level: <font color=yellow>Medium</font></h2>
  <p>
HTTP is a protocol that is not designed with the privacy of its users in mind. The language used in the HTTP specification explicitly says that
the protocol was designed with enabling the datamining of its users in mind, and contains features that are not absolutely necessary for the purpose of the
protocol, but allow the protocol compromise user privacy.
  </p>
  <h3>"User-Agent" Datamining feature</h3>
  <p>
  Section 14.43<sup><a href="#1">[1]</a></sup> of the HTTP specification details the "User-Agent"
  spyware feature of the protocol that, when implemented, will attach information about your computing enviroment that can be used to track you.
  The biggest danger of the User-Agent spyware is that there is no way to anonymously opt-out of this- even if you do not provide a user-agent,
  because almost everyone else does, you will be tracked by the fact that you do <b>not</b> provide that information. There are many strategies
  to mitigate this spyware, with only varying levels of success, but the problem is that this is the acceptable standard of how HTTP is used-
  and not the forgotten feature that it should be. Not only does the User-Agent feature collect this unncessary information, its purpose is explicitly
  stated in the protocol specifications to aid in datamining.
  </p>
  <p><i>
  "The User-Agent request-header field contains information about the user agent originating the request. This is for <b>statistical purposes</b>, the tracing of protocol violations, and automated recognition of user agents for the sake of tailoring responses to avoid particular user agent limitations. User agents SHOULD include this field with requests. "
  </i></p>
  <h3>Acknowledgement of HTTP's privacy problem</h3>
  <p>
  In the HTTP specification, the W3C explicitly acknowledges the serious privacy violations that implementations of this protocol are capable of comitting.
  Section 15.1<sup><a href="#2">[2]</a></sup> of the HTTP specification has a very detailed analysis of
  the implications of the comprimization of privacy that the User-Agent spyware allows to happen and suggests how to use the User-Agent feature: as an opt-in
  feature where the privacy concerns of using such a feature are properly explained to the user. Even though this is a good section, it shows a very naieve
  viewpoint from the W3C- the expectation that this feature would not be abused, and the expectation that implementers of this standard would respect the
  privacy of their users and would not use these features of the protocol to datamine users.
  </p>
  <p>
  At best, you could call this mindset naieve. Or, you could call it negligent. If you want to hold the W3C in contempt, you could call it malicious.
  It's easy to write in your standard that while you could use this protocol to monitor the behavior of users, you should ask for their permission.
  But once that standard is widely implemented, and is widely used for the exact malicious purpose that was acknowledged in its specification, who's
  fault is that?
  </p>

   <hr>
  <h2>Sources</h2>
  <p>
  <a name="1">1.</a>
  <a href="https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">Section 14 of the HTTP/1.1 Specification</a>
  <a href="http://webarchive.loc.gov/all/20160922055153/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[webarchive.loc.gov]</a>
  <a href="https://web.archive.org/web/20180522154719/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[web.archive.org]</a>
  <a href="http://archive.is/20180425174415/https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[archive.is]</a>
  <a href="https://webarchive.nrscotland.gov.uk/20170610193333/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[webarchive.nrscotland.gov.uk]</a>
  <a href="http://www.webcitation.org/6tcP2LTQW">[www.webcitation.org]</a>
  <a href="http://arquivo.pt/wayback/20160108175646/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[arquivo.pt]</a>
  <a href="http://veebiarhiiv.digar.ee/a/20150704125123/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[veebiarhiiv.digar.ee]</a>
  <a href="http://webarchive.proni.gov.uk/20110424091530/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[webarchive.proni.gov.uk]</a><br>

  <a name="2">2.</a>
  <a href="https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">Section 15 of the HTTP/1.1 Specification</a>
  <a href="http://webarchive.loc.gov/all/20140118222005/http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[webarchive.loc.gov]</a>
  <a href="https://web.archive.org/web/20171216001049/https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[web.archive.org]</a>
  <a href="http://archive.is/20131016034135/http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[archive.is]</a>
  <a href="https://webarchive.nrscotland.gov.uk/20170612090136/http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[webarchive.nrscotland.gov.uk]</a>
  <a href="http://arquivo.pt/wayback/20110609222436/http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[arquivo.pt]</a><br>

  </p>


  <hr>
 <p><b>
 This article was last edited on 5/14/2018
 </b></p>
    <p>
 If you want to edit this article, or contribute your own article(s), contact us on XMPP over in spyware@conference.nuegia.net, or visit us at the git repo on <a href="https://codeberg.org/TheShadow/SpywareWatchdog">Codeberg</a>. All contributions must be licensed under the CC0 liscence to be accepted.
 </p>
  <a href="https://creativecommons.org/publicdomain/zero/1.0/legalcode"><img src="../images/cc0.png" alt="CC0 Liscence"></a>
  </body>
</html>
thy first commit 2020-02-07 09:12:15 +02:00			`<!DOCTYPE HTML>`
			`<html lang=”en-us”>`
			`<head>`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00			`<link rel="stylesheet" href="../style.css">`
thy first commit 2020-02-07 09:12:15 +02:00			`<meta charset="UTF-8">`
			`<title>Spyware Watchdog</title>`
			`</head>`
			`<body>`
			`<h1>HyperText Transmission Protocol</h1>`
fixed images mess up 2020-02-08 10:32:22 +02:00			`<img src="../images/w3c_logo.png" alt="World Wide Web Consortum: The maintainers of the HTTP standard">`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00			`<p><a href="../articles/index.html">Back to catalog</a></p>`
thy first commit 2020-02-07 09:12:15 +02:00			`<p>`
			`HTTP is a protocol usually used for transferring HyperText Markup Language documents accross the internet.`
			`</p>`
			`<h2>Spyware Level: <font color=yellow>Medium</font></h2>`
			`<p>`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00			`HTTP is a protocol that is not designed with the privacy of its users in mind. The language used in the HTTP specification explicitly says that`
			`the protocol was designed with enabling the datamining of its users in mind, and contains features that are not absolutely necessary for the purpose of the`
			`protocol, but allow the protocol compromise user privacy.`
thy first commit 2020-02-07 09:12:15 +02:00			`</p>`
			`<h3>"User-Agent" Datamining feature</h3>`
			`<p>`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00			`Section 14.43<sup><a href="#1">[1]</a></sup> of the HTTP specification details the "User-Agent"`
thy first commit 2020-02-07 09:12:15 +02:00			`spyware feature of the protocol that, when implemented, will attach information about your computing enviroment that can be used to track you.`
			`The biggest danger of the User-Agent spyware is that there is no way to anonymously opt-out of this- even if you do not provide a user-agent,`
			`because almost everyone else does, you will be tracked by the fact that you do <b>not</b> provide that information. There are many strategies`
			`to mitigate this spyware, with only varying levels of success, but the problem is that this is the acceptable standard of how HTTP is used-`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00			`and not the forgotten feature that it should be. Not only does the User-Agent feature collect this unncessary information, its purpose is explicitly`
thy first commit 2020-02-07 09:12:15 +02:00			`stated in the protocol specifications to aid in datamining.`
			`</p>`
			`<p><i>`
			`"The User-Agent request-header field contains information about the user agent originating the request. This is for <b>statistical purposes</b>, the tracing of protocol violations, and automated recognition of user agents for the sake of tailoring responses to avoid particular user agent limitations. User agents SHOULD include this field with requests. "`
			`</i></p>`
			`<h3>Acknowledgement of HTTP's privacy problem</h3>`
			`<p>`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00			`In the HTTP specification, the W3C explicitly acknowledges the serious privacy violations that implementations of this protocol are capable of comitting.`
			`Section 15.1<sup><a href="#2">[2]</a></sup> of the HTTP specification has a very detailed analysis of`
thy first commit 2020-02-07 09:12:15 +02:00			`the implications of the comprimization of privacy that the User-Agent spyware allows to happen and suggests how to use the User-Agent feature: as an opt-in`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00			`feature where the privacy concerns of using such a feature are properly explained to the user. Even though this is a good section, it shows a very naieve`
			`viewpoint from the W3C- the expectation that this feature would not be abused, and the expectation that implementers of this standard would respect the`
			`privacy of their users and would not use these features of the protocol to datamine users.`
thy first commit 2020-02-07 09:12:15 +02:00			`</p>`
			`<p>`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00			`At best, you could call this mindset naieve. Or, you could call it negligent. If you want to hold the W3C in contempt, you could call it malicious.`
thy first commit 2020-02-07 09:12:15 +02:00			`It's easy to write in your standard that while you could use this protocol to monitor the behavior of users, you should ask for their permission.`
			`But once that standard is widely implemented, and is widely used for the exact malicious purpose that was acknowledged in its specification, who's`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00			`fault is that?`
thy first commit 2020-02-07 09:12:15 +02:00			`</p>`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00
thy first commit 2020-02-07 09:12:15 +02:00			`<hr>`
			`<h2>Sources</h2>`
			`<p>`
			`<a name="1">1.</a>`
			`<a href="https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">Section 14 of the HTTP/1.1 Specification</a>`
			`<a href="http://webarchive.loc.gov/all/20160922055153/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[webarchive.loc.gov]</a>`
			`<a href="https://web.archive.org/web/20180522154719/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[web.archive.org]</a>`
			`<a href="http://archive.is/20180425174415/https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[archive.is]</a>`
			`<a href="https://webarchive.nrscotland.gov.uk/20170610193333/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[webarchive.nrscotland.gov.uk]</a>`
			`<a href="http://www.webcitation.org/6tcP2LTQW">[www.webcitation.org]</a>`
			`<a href="http://arquivo.pt/wayback/20160108175646/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[arquivo.pt]</a>`
			`<a href="http://veebiarhiiv.digar.ee/a/20150704125123/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[veebiarhiiv.digar.ee]</a>`
			`<a href="http://webarchive.proni.gov.uk/20110424091530/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[webarchive.proni.gov.uk]</a><br>`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00
thy first commit 2020-02-07 09:12:15 +02:00			`<a name="2">2.</a>`
			`<a href="https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">Section 15 of the HTTP/1.1 Specification</a>`
			`<a href="http://webarchive.loc.gov/all/20140118222005/http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[webarchive.loc.gov]</a>`
			`<a href="https://web.archive.org/web/20171216001049/https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[web.archive.org]</a>`
			`<a href="http://archive.is/20131016034135/http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[archive.is]</a>`
			`<a href="https://webarchive.nrscotland.gov.uk/20170612090136/http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[webarchive.nrscotland.gov.uk]</a>`
			`<a href="http://arquivo.pt/wayback/20110609222436/http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[arquivo.pt]</a><br>`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00
thy first commit 2020-02-07 09:12:15 +02:00			`</p>`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00

thy first commit 2020-02-07 09:12:15 +02:00			`<hr>`
			`<p><b>`
			`This article was last edited on 5/14/2018`
			`</b></p>`
			`<p>`
surf article & new themeing plus XHTML 3 2020-03-22 05:33:06 +02:00			`If you want to edit this article, or contribute your own article(s), contact us on XMPP over in spyware@conference.nuegia.net, or visit us at the git repo on <a href="https://codeberg.org/TheShadow/SpywareWatchdog">Codeberg</a>. All contributions must be licensed under the CC0 liscence to be accepted.`
thy first commit 2020-02-07 09:12:15 +02:00			`</p>`
fixed images mess up 2020-02-08 10:32:22 +02:00			`<a href="https://creativecommons.org/publicdomain/zero/1.0/legalcode"><img src="../images/cc0.png" alt="CC0 Liscence"></a>`
thy first commit 2020-02-07 09:12:15 +02:00			`</body>`
fixed file paths, added notice 2020-02-08 10:09:18 +02:00			`</html>`