Re: [Unity-idm-discuss] 3rd site content and cookies

[Marcus H. <ha...@ki...>]

And, to reinforce this, some users complained that they're asked for their
certificate, that they have in the browser, just because of some
malconfigured IdP, that requested the certificate for sending the logo.

This all creates pain to the user -- unnecessarily

M.

On 12/17/20 07:20, Sander Apweiler wrote:
> Good morning Krzysztof,
> 
> We have another reason for providing the logos through unity, instead
> of users browser. While normal browser do not load the content if a
> certificate is not trusted or a hostname mismatch appears, some apps,
> e.g. RocketChat throws errors and the user think we have an issue on
> our site and open tickets. To explain users without IT, especially AAI
> background, is hard to explain that on our site everything is fine and
> the problem is out of our control.
> 
> Cheers,
> Sander
> 
> On Tue, 2020-10-06 at 11:32 +0200, Krzysztof Benedyczak wrote:
> > W dniu 06.10.2020 o 09:32, Marcus Hardt pisze:
> > > On 10/06/20 09:24, Krzysztof Benedyczak wrote:
> > > > Marcus,
> > > > 
> > > > W dniu 05.10.2020 o 10:47, Marcus Hardt pisze:
> > > > > > The fact that the user gets a cookie
> > > > > > from a site which was not visited is just few bytes on her
> > > > > > hard drive,
> > > > > > nothing more. So I can ask: what is the real problem here?
> > > > > By requesting the picture, the user informs _all_ IdPs that he
> > > > > is about to
> > > > > log in to unity. That does not seem right, does it?
> > > > No, that's not true. The IdPs can only know that some *anonymous*
> > > > one is
> > > > trying to enter unity instance (and only after if and after they
> > > > check that
> > > > referer URL is of some unity instance). Nothing more.
> > > The anonymous is the goal here. For this unity needs to proxy the
> > > requests. At the moments it's my browser requesting those images.
> > > This is
> > > by no means anonymous.
> > 
> > Are you browsing the web? Entering _any_ page opens a huge risk that 
> > this webpage has an asset embedded and your browser will download it.
> > What's more in the age of CDNs you are sharing your "data" with them 
> > almost always. Not to mention cloudflare and other similar services.
> > 
> > > > What privacy concern is there?
> > > I am unneccessarily forced to releasing information to third
> > > parties,
> > > potentially outside europe, that I've never wanted to authorise.
> > 
> > Well, what information? That some unknown person using say Firefox 
> > entered a webpage Y from IP Z.
> > 
> > If you are very concerned about Z use one of public VPN services (I
> > do - 
> > solves the problem for all cases). Still Z is mostly useless
> > information 
> > in age of NAT and dynamic IPs.
> > 
> > You can also fake client agent (pretend that you are curl) if this 
> > matters for you - but why?
> > 
> > If your concern is about tracking for advertising/marketing - disable
> > 3rd party cookies in your browser. But seriously: are edugain IdPs 
> > providing contextual ads around the globe? :-)
> > 
> > Best,
> > Krzysztof
> > 
> 
> -- 
> Federated Systems and Data
> Juelich Supercomputing Centre
> 
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
> 
> ----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------



-- 
Marcus.