I, too, "value your privacy" but unlike most I think it is priceless and fundamental. Privacy Policy

HTTP3

First thing first: Well done, this is the first article where I had to drop a letter from the title to keep the orthogonality between the title and the filename.

I went to the HTTP/3 talk at FOSDEM, it was quite interesting until I got reminded that the Web can't get it's shit right: QUIC basically has tracking of how good your connection/browser/… is, hello fingerprinting.

So none of my computers will have support for HTTP/3 or QUIC, I run gentoo and I have my own browser which reuses existant parts of the system, I wish other browsers would do the same but I have no hope there. At worst I will have a reduced implementation of the protocol (for example no 0-RTT "Handshake") for compatibility if I get forced to use it. But I don't see it coming other than maybe for less pain in Google ReeCaptcha (fuck your website if it's using it) as I still support HTTP/0.9 throught HTTP/1.1, and HTTP/2 is only enabled on my HTTP server just because nginx has support for it.

If there is one thing to fix in your broken protocol it's the fact that ETag is also great at being a fucking tracker, but HTTP 304 Not Modified is the same so congrats, we have caching with also having it being tracked. And of course the lawsuits went against KISSmetrics and Hulu instead of browser vendors or protocol designers, because if I had time for this shit (and any trust in the Justice) I probably would sue them, not the ones merely watching their logs.

The client should only do a HEAD to get new metadata and then do it's own side-effects. It's not tracking-proof but it would at least mean having to do tracking on multiple requests and with a risk of false-positives (HEAD and then sometimes GET being used by some software for link previews), while currently you can basically be 100% sure because it's part of the protocol.

The solution adopted by most frontend folks for cache managment was to put a hash into the filename, and it's quite a good way to do it in their case. It should only have been into headers rather than into the filename so it could be used by other folks and a hash/version in the filename would get more rare, thus having better caching.

Fediverse post for comments, published on 2020-03-01T02:00:00Z, last updated on 2020-03-01T02:01:00Z

article only(plain XHTML)