Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

User A sends 2-3 HTTP headers, the bare minimum, e.g., Host, Connection, maybe User-Agent or Cookie in some instances if required. User A has disabled Javascript unless she needs it.

There is actually no technical reason that an HTTP request needs to be any more than

    GET / HTTP/1.0
It's nice for the server to know your user agent, what fonts you have installed, your OS, and whatever else, but it is not necessary and so the majority of the problem of fingerprinting browsers is one created by the browser developers themselves. The original concept of the web was that the client controlled the rendering, the server shouldn't care about what specific fonts you have or the size of your screen.

There is no reason that the Firefox or Safari developers couldn't decide in the next version to send only bare minimal request headers.



Is it actually possible to request most sites that way, without a host header? Maybe if it's tls and you already used sni, but I think most sites use a cdn that uses some form of virtual hosting to share ip addresses.


Consider the basic httpd feature of providing an automatically generated index to a directory. It is possible to locate content, including names of virtual hosts, with only an IP address.


Sure.

    > nc news.ycombinator.com 80 
    GET / HTTP/1.0

    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Sat, 21 Nov 2020 13:59:31 GMT
    Content-Type: text/html
    Content-Length: 178
    Connection: close
    Location: https://news.ycombinator.com/


That is perhaps the least convincing test case you could have chosen to support your argument. (You basically proved you could fetch a content-less page, in part because that was the easiest proof case you could write, but because it didn’t demonstrate anything that an HN reader would come here for, it doesn’t resonate convincingly.)


    > openssl s_client -connect news.ycombinator.com:443
    GET / HTTP/1.0

    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 21 Nov 2020 17:25:28 GMT
    Content-Type: text/html; charset=utf-8
    Connection: close
    Vary: Accept-Encoding
    Cache-Control: private; max-age=0
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Referrer-Policy: origin
    Strict-Transport-Security: max-age=31556900
    Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://cdnjs.cloudflare.com/; frame-src 'self' https://www.google.com/recaptcha/; style-src 'self' 'unsafe-inline'

    <html lang="en" op="news"><head><meta name="referrer" content="origin"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link rel="stylesheet" type="text/css" href="news.css?jacyibSTLtogl89kgrgw">
            <link rel="shortcut icon" href="favicon.ico">
              <link rel="alternate" type="application/rss+xml" title="RSS" href="rss">


            <title>Hacker News</title>


As the kids say, "100%".

All that additional crud has probably contributed to the "relative ease" of conducting tracking as well as the "richness" of the data one can gather from tracking. Why should we ignore this simple fact.

The people behind these browers, especially Mozilla, keep assuring the public they are working to protect user privacy. This may be true to some extent but what they are not telling the public is how they are working to ensure the online advertsing industry continues to thrive, i.e., how they are working to ensure they do not upset the status quo. The words do not match the actions.

I would not rely on the browser developers to address this problem. To experiment with how well minimalism works on today's web, one can use alternative HTTP clients that allow control over headers and/or one can use a forward proxy one can remove/modify headers generated by the browser.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: