aboutsummaryrefslogtreecommitdiffstats
path: root/proposals
diff options
context:
space:
mode:
authorPaul Frazee <pfrazee@gmail.com>2018-05-30 14:56:48 -0500
committerPaul Frazee <pfrazee@gmail.com>2018-05-30 14:56:48 -0500
commit833f0b8bbc96e379ba2ad48c30a964ec7d2eddd7 (patch)
treec59716239edfc2997fa1725a8990cb08a762822e /proposals
parent83bcec91b8d01ab57777e8bb602b3774d5a178b6 (diff)
downloaddat-deps-833f0b8bbc96e379ba2ad48c30a964ec7d2eddd7.tar.gz
dat-deps-833f0b8bbc96e379ba2ad48c30a964ec7d2eddd7.zip
Expand on drawbacks in proposals/0000-session-data-extension.md
Diffstat (limited to 'proposals')
-rw-r--r--proposals/0000-session-data-extension.md4
1 files changed, 3 insertions, 1 deletions
diff --git a/proposals/0000-session-data-extension.md b/proposals/0000-session-data-extension.md
index d7cffa9..659e70d 100644
--- a/proposals/0000-session-data-extension.md
+++ b/proposals/0000-session-data-extension.md
@@ -43,7 +43,9 @@ After publishing this DEP, the "Beaker Browser" will implement a Web API for exp
# Drawbacks
[drawbacks]: #drawbacks
-This DEP may present privacy concerns, as it may be used to track users in a similar fashion to HTTP Cookies.
+- This DEP may present privacy concerns, as it may be used to track users in a similar fashion to HTTP Cookies.
+- The payload of the `'session-data'` message is not authenticated in any way. If a public key is sent, proof of ownership of the private key is not provided. The lack of trust must be considered by applications which leverage the data.
+- If the recipient of the `'session-data'` message is not authenticated (as is currently the case in all Dat replication connections) the client will not know who is receiving the payload and may broadcast sensitive information.
# Rationale and alternatives