Skip to content

Commit

Permalink
Merge pull request #12 from w3ctag/2-and-10
Browse files Browse the repository at this point in the history 
Add explicit call to action and experimentation
  • Loading branch information
@cynthia
cynthia authored Jan 23, 2024
2 parents fdcad23 + 9f8e80a commit a00201c
Showing 1 changed file with 21 additions and 8 deletions.
29 changes: 21 additions & 8 deletions index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,14 +183,27 @@
When HTTP/2 [[rfc9113]] was introduced, attempts were made to alleviate the need for bundling using Server Push, but the performance gain was not noticeable enough to justify the complexity cost.
The introduction of HTTP/3 [[rfc9114]], based on QUIC [[rfc9100]] may provide new solutions to these issues.

## Closing Remarks
## Angles for Experimentation

Unfortunately, the solution to this is largely an unsolved problem
and the web platform does not have all the machinery needed to solve this problem.
One idea that would be worth experimenting with is
to re-use existing ideas, such as introducing smart delays
(e.g., within the standard deviance for the distribution)
for cache fetches to mitigate user fingerprinting.
We cannot compromise on the security and privacy guarantees that double keying provides.
Additionally, no immediate replacements provide equivalent conveniences and functionality
that bundling provides as of the time of writing.

If we move the ecosystem to be unbundled, the cost of transport will go up.
However, we cannot simply remove double keying to alleviate that cost.
One potential way forward could be to experiment with mechanisms that
emulate the effects of double-keyed caching through a software layer
but not necessarily trigger the wire transport.

TODO: (Mention bundling + delta transport here)
One potential avenue could involve a noising layer on top of a single-keyed cache,
which adds enough noise to prevent attacks that rely on timing (e.g., artificial delays)
or metadata (e.g., adding noise in latent state).

## Call to Action

Unfortunately, the solution to this is largely an unsolved problem
and the web platform does not yet have all the machinery needed to solve this problem.
We would like to see experts from the community
to experiment with different approaches to find a more sustainable solution
and eventually propose a solution that reduces the costs
while preserving the security and privacy guarantees we have today.

0 comments on commit a00201c

Please sign in to comment.