From 833f0b8bbc96e379ba2ad48c30a964ec7d2eddd7 Mon Sep 17 00:00:00 2001 From: Paul Frazee Date: Wed, 30 May 2018 14:56:48 -0500 Subject: Expand on drawbacks in proposals/0000-session-data-extension.md --- proposals/0000-session-data-extension.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'proposals/0000-session-data-extension.md') diff --git a/proposals/0000-session-data-extension.md b/proposals/0000-session-data-extension.md index d7cffa9..659e70d 100644 --- a/proposals/0000-session-data-extension.md +++ b/proposals/0000-session-data-extension.md @@ -43,7 +43,9 @@ After publishing this DEP, the "Beaker Browser" will implement a Web API for exp # Drawbacks [drawbacks]: #drawbacks -This DEP may present privacy concerns, as it may be used to track users in a similar fashion to HTTP Cookies. +- This DEP may present privacy concerns, as it may be used to track users in a similar fashion to HTTP Cookies. +- The payload of the `'session-data'` message is not authenticated in any way. If a public key is sent, proof of ownership of the private key is not provided. The lack of trust must be considered by applications which leverage the data. +- If the recipient of the `'session-data'` message is not authenticated (as is currently the case in all Dat replication connections) the client will not know who is receiving the payload and may broadcast sensitive information. # Rationale and alternatives -- cgit v1.2.3