undefined | Better HN

0 pointsquotemstr13y ago0 comments

How so? A unique identifier is a unique identifier.

0 comments

ars13y ago

If the browser created the unique identifier instead of the server it could create a new one as often as necessary.

I think that would actually work very nicely.

rmc13y ago

Browsers can do that now with cookies, by just clearing old cookies.

angelbob13y ago

If you don't store a leakable cookie on the client and only use a connection ID (which is autoassigned by the server and cannot be easily forged) then a lot of cross-domain evil hackery goes away.

danellis13y ago

I don't know what you mean by 'leakable' exactly, but you can already mark cookies as HttpOnly (not accessible from Javascript) and Secure (only transmitted over HTTPS).

angelbob13y ago

"Leakable" in the sense that you can hand it to somebody else and they can actually use it.

A cookie is leakable because the client chooses to send it, so copying it to somebody else is really bad. A server-assigned per-connection ID is not leakable unless you can spoof the IP address of the one you're sending as.

3 more replies

pdeuchler13y ago

Of course, but the question is what that unique identifier denotes.

An IP address tells people who you are, where you are, and what you do.

A unique identifier ('+18El1iZRFCIiqRpfw4dJR8mXjJn2UxPrjwoRNpjSWg=' for instance) tells what you do without the who and where [1].

It's even possible advertisers could still target users based upon these identifiers, just without the background knowledge that makes these sorts of things privacy issues.

[1] I'll admit, it could be argued that the what can determine the who and where

j / k navigate · click thread line to collapse

0 comments

ars13y ago

If the browser created the unique identifier instead of the server it could create a new one as often as necessary.

I think that would actually work very nicely.

rmc13y ago

Browsers can do that now with cookies, by just clearing old cookies.

angelbob13y ago

If you don't store a leakable cookie on the client and only use a connection ID (which is autoassigned by the server and cannot be easily forged) then a lot of cross-domain evil hackery goes away.

danellis13y ago

I don't know what you mean by 'leakable' exactly, but you can already mark cookies as HttpOnly (not accessible from Javascript) and Secure (only transmitted over HTTPS).

angelbob13y ago

"Leakable" in the sense that you can hand it to somebody else and they can actually use it.

3 more replies

pdeuchler13y ago

Of course, but the question is what that unique identifier denotes.

An IP address tells people who you are, where you are, and what you do.

A unique identifier ('+18El1iZRFCIiqRpfw4dJR8mXjJn2UxPrjwoRNpjSWg=' for instance) tells what you do without the who and where [1].

It's even possible advertisers could still target users based upon these identifiers, just without the background knowledge that makes these sorts of things privacy issues.

[1] I'll admit, it could be argued that the what can determine the who and where

j / k navigate · click thread line to collapse