Hacker News new | past | comments | ask | show | jobs | submit login

The hints do seem like a good approach, though scary from a fingerprinting side as they're much more fine-grained.





It changes the passive fingerprinting vector to an active one: https://github.com/bslassey/privacy-budget#passive-surfaces

So, while UA hints could potentially supply more information than the current UA string - each item needs to be explicitly requested by the site meaning the browser can make a choice on what to return. This may depend on user's preferences, level of trust in a site, the amount of identifying information already provided to the site, etc.


> It changes the passive fingerprinting vector to an active one

You say this as though the ad industry cares.

> So, while UA hints could potentially supply more information than the current UA string - each item needs to be explicitly requested by the site meaning the browser can make a choice on what to return.

Let me introduce you to useragent switchers.

The replacement is strictly worse. Simply freezing the user agent solves things well.


> You say this as though the ad industry cares.

They don't have a choice? The point about passive vs active is that it places control with the browser/user where they didn't have it before. You'll be able to respond to some hints and ignore others.

> Let me introduce you to useragent switchers.

And what's the adoption rate of those, I wonder... less than 1% of users? This client hints standard will make it a lot more reasonable for non-power users to control what information is being disclosed, should they wish.


> They don't have a choice? The point about passive vs active is that it places control with the browser/user where they didn't have it before. You'll be able to respond to some hints and ignore others.

So, you are saying that every time someone wants to test browser compatibility, the browser will prompt the user?

No, they're not doing that. Which means that the information is in the hands of anyone that cares. It just isn't in Apache server logs by default.

> And what's the adoption rate of those, I wonder... less than 1% of users?

About as high as the dynamic equivalent will be.

Which is why not replacing the useragent string is the only option that makes things better.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: