SpywareWatchdog/articles/http.html

85 lines
6.0 KiB
HTML
Raw Normal View History

2020-02-07 09:12:15 +02:00
<!DOCTYPE HTML>
<html lang=”en-us”>
<head>
2020-02-08 10:09:18 +02:00
<link rel="stylesheet" href="../style.css">
2020-02-07 09:12:15 +02:00
<meta charset="UTF-8">
<title>Spyware Watchdog</title>
</head>
<body>
<h1>HyperText Transmission Protocol</h1>
2020-02-08 10:09:18 +02:00
<img src../images/w3c_logo.png" alt="World Wide Web Consortum: The maintainers of the HTTP standard">
<p><a href="../articles/index.html">Back to catalog</a></p>
2020-02-07 09:12:15 +02:00
<p>
HTTP is a protocol usually used for transferring HyperText Markup Language documents accross the internet.
</p>
<h2>Spyware Level: <font color=yellow>Medium</font></h2>
<p>
2020-02-08 10:09:18 +02:00
HTTP is a protocol that is not designed with the privacy of its users in mind. The language used in the HTTP specification explicitly says that
the protocol was designed with enabling the datamining of its users in mind, and contains features that are not absolutely necessary for the purpose of the
protocol, but allow the protocol compromise user privacy.
2020-02-07 09:12:15 +02:00
</p>
<h3>"User-Agent" Datamining feature</h3>
<p>
2020-02-08 10:09:18 +02:00
Section 14.43<sup><a href="#1">[1]</a></sup> of the HTTP specification details the "User-Agent"
2020-02-07 09:12:15 +02:00
spyware feature of the protocol that, when implemented, will attach information about your computing enviroment that can be used to track you.
The biggest danger of the User-Agent spyware is that there is no way to anonymously opt-out of this- even if you do not provide a user-agent,
because almost everyone else does, you will be tracked by the fact that you do <b>not</b> provide that information. There are many strategies
to mitigate this spyware, with only varying levels of success, but the problem is that this is the acceptable standard of how HTTP is used-
2020-02-08 10:09:18 +02:00
and not the forgotten feature that it should be. Not only does the User-Agent feature collect this unncessary information, its purpose is explicitly
2020-02-07 09:12:15 +02:00
stated in the protocol specifications to aid in datamining.
</p>
<p><i>
"The User-Agent request-header field contains information about the user agent originating the request. This is for <b>statistical purposes</b>, the tracing of protocol violations, and automated recognition of user agents for the sake of tailoring responses to avoid particular user agent limitations. User agents SHOULD include this field with requests. "
</i></p>
<h3>Acknowledgement of HTTP's privacy problem</h3>
<p>
2020-02-08 10:09:18 +02:00
In the HTTP specification, the W3C explicitly acknowledges the serious privacy violations that implementations of this protocol are capable of comitting.
Section 15.1<sup><a href="#2">[2]</a></sup> of the HTTP specification has a very detailed analysis of
2020-02-07 09:12:15 +02:00
the implications of the comprimization of privacy that the User-Agent spyware allows to happen and suggests how to use the User-Agent feature: as an opt-in
2020-02-08 10:09:18 +02:00
feature where the privacy concerns of using such a feature are properly explained to the user. Even though this is a good section, it shows a very naieve
viewpoint from the W3C- the expectation that this feature would not be abused, and the expectation that implementers of this standard would respect the
privacy of their users and would not use these features of the protocol to datamine users.
2020-02-07 09:12:15 +02:00
</p>
<p>
2020-02-08 10:09:18 +02:00
At best, you could call this mindset naieve. Or, you could call it negligent. If you want to hold the W3C in contempt, you could call it malicious.
2020-02-07 09:12:15 +02:00
It's easy to write in your standard that while you could use this protocol to monitor the behavior of users, you should ask for their permission.
But once that standard is widely implemented, and is widely used for the exact malicious purpose that was acknowledged in its specification, who's
2020-02-08 10:09:18 +02:00
fault is that?
2020-02-07 09:12:15 +02:00
</p>
2020-02-08 10:09:18 +02:00
2020-02-07 09:12:15 +02:00
<hr>
<h2>Sources</h2>
<p>
<a name="1">1.</a>
<a href="https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">Section 14 of the HTTP/1.1 Specification</a>
<a href="http://webarchive.loc.gov/all/20160922055153/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[webarchive.loc.gov]</a>
<a href="https://web.archive.org/web/20180522154719/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[web.archive.org]</a>
<a href="http://archive.is/20180425174415/https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[archive.is]</a>
<a href="https://webarchive.nrscotland.gov.uk/20170610193333/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[webarchive.nrscotland.gov.uk]</a>
<a href="http://www.webcitation.org/6tcP2LTQW">[www.webcitation.org]</a>
<a href="http://arquivo.pt/wayback/20160108175646/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[arquivo.pt]</a>
<a href="http://veebiarhiiv.digar.ee/a/20150704125123/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[veebiarhiiv.digar.ee]</a>
<a href="http://webarchive.proni.gov.uk/20110424091530/http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">[webarchive.proni.gov.uk]</a><br>
2020-02-08 10:09:18 +02:00
2020-02-07 09:12:15 +02:00
<a name="2">2.</a>
<a href="https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">Section 15 of the HTTP/1.1 Specification</a>
<a href="http://webarchive.loc.gov/all/20140118222005/http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[webarchive.loc.gov]</a>
<a href="https://web.archive.org/web/20171216001049/https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[web.archive.org]</a>
<a href="http://archive.is/20131016034135/http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[archive.is]</a>
<a href="https://webarchive.nrscotland.gov.uk/20170612090136/http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[webarchive.nrscotland.gov.uk]</a>
<a href="http://arquivo.pt/wayback/20110609222436/http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html">[arquivo.pt]</a><br>
2020-02-08 10:09:18 +02:00
2020-02-07 09:12:15 +02:00
</p>
2020-02-08 10:09:18 +02:00
2020-02-07 09:12:15 +02:00
<hr>
<p><b>
This article was last edited on 5/14/2018
</b></p>
<p>
2020-02-08 10:09:18 +02:00
If you want to edit this article, or contribute your own article(s), contact us on XMPP over in spyware@conference.nuegia.net, or visit us at the git repo on <a href="https://codeberg.org/TheShadow/SpywareWatchdog">Codeberg</a>. All contributions must be liscenced under the CC0 liscence to be accepted.
2020-02-07 09:12:15 +02:00
</p>
2020-02-08 10:09:18 +02:00
<a href="https://creativecommons.org/publicdomain/zero/1.0/legalcode"><img src../images/cc0.png" alt="CC0 Liscence"></a>
2020-02-07 09:12:15 +02:00
</body>
2020-02-08 10:09:18 +02:00
</html>