Web feature developers told to dial up attention on privacy and security – gpgmail


Web feature developers are being warned to step up attention to privacy and security as they design contributions.

Writing in a blog post about “evolving threats” to Internet users’ privacy and security, the W3C standards body’s technical architecture group (TAG) and Privacy Interest Group (PING) set out a series of revisions to the W3C’s Security and Privacy Questionnaire for web feature developers.

The questionnaire itself is not new. But the latest updates place greater emphasis on the need for contributors to assess and mitigate privacy impacts, with developers warned that “features may not be implemented if risks are found impossible or unsatisfactorily mitigated”.

In the blog post, independent researcher Lukasz Olejnik, currently serving as an invited expert at the W3C TAG; and Apple’s Jason Novak, representing the PING, write that the intent with the update is to make it “clear that feature developers should consider security and privacy early in the feature’s lifecycle” [emphasis theirs].

“The TAG will be carefully considering the security and privacy of a feature in their design reviews,” they further warn, adding: “A security and privacy considerations section of a specification is more than answers to the questionnaire.”

The revisions to the questionnaire include updates to the threat model and specific threats a specification author should consider — including a new high level type of threat dubbed “legitimate misuse“, where the document stipulates that: “When designing a specification with security and privacy in mind, all both use and misuse cases should be in scope.”

“Including this threat into the Security and Privacy Questionnaire is meant to highlight that just because a feature is possible does not mean that the feature should necessarily be developed, particularly if the benefitting audience is outnumbered by the adversely impacted audience, especially in the long term,” they write. “As a result, one mitigation for the privacy impact of a feature is for a user agent to drop the feature (or not implement it).”

Features should be secure and private by default and issues mitigated in their design,” they further emphasize. “User agents should not be afraid of undermining their users’ privacy by implementing new web standards or need to resort to breaking specifications in implementation to preserve user privacy.”

The pair also urge specification authors to avoid blanket treatment of first and third parties, suggesting: “Specification authors may want to consider first and third parties separately in their feature to protect user security and privacy.”

The revisions to the questionnaire come at a time when browser makers are dialling up their response to privacy threats — encouraged by rising public awareness of the risks posed by data leaks, as well as increased regulatory action on data protection.

Last month the open source WebKit browser engine (which underpins Apple’s Safari browser) announced a new tracking prevention policy that takes the strictest line yet on background and cross-site tracking, saying it would treat attempts to circumvent the policy as akin to hacking — essentially putting privacy protection on a par with security.

Earlier this month Mozilla also pushed out an update to its Firefox browser that enables an anti-tracking cookie feature across the board, for existing users too — demoting third party cookies to default junk.

Even Google’s Chrome browser has made some tentative steps towards enhancing privacy — announcing changes to how it handles cookies earlier this year. Though the adtech giant has studiously avoided flipping on privacy by default in Chrome where third party tracking cookies are concerned, leading to accusations that the move is mostly privacy-washing.

More recently Google announced a long term plan to involve its Chromium browser engine in developing a new open standard for privacy — sparking concerns it’s trying to both kick the can on privacy protection and muddy the waters by shaping and pushing self-interested definitions which align with its core data-mining business interests.

There’s more activity to consider too. Earlier this year another data-mining adtech giant, Facebook, made its first major API contribution to Google’s Chrome browser — which it also brought to the W3C Performance Working Group.

Facebook does not have its own browser, of course. Which means that authoring contributions to web technologies offers the company an alternative conduit to try to influence Internet architecture in its favor.

The W3C TAG’s latest move to focus minds on privacy and security by default is timely.

It chimes with a wider industry shift towards pro-actively defending user data, and should rule out any rubberstamping of tech giants contributions to Internet architecture which is obviously a good thing. Scrutiny remains the best defence against self-interest.




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Microsoft Releases First Chromium Edge Browser Beta


This site may earn affiliate commissions from the links on this page. Terms of use.

Microsoft has been hard at work since announcing the death of the old Edge browser. The new Chromium-based Edge has been in developer testing for several months, but the first public beta is available today. Just head over to Microsoft’s Edge landing page to download the new browser. While Microsoft stresses this is still a beta, it believes Chromium Edge is ready for everyday use. 

Since the launch of Windows 10, Microsoft has pushed the Edge browser as a more efficient alternative to the market-leading Chrome or runner-up Firefox. Microsoft wrote blog posts, made videos, and even leveraged popups in Windows to get people using Edge. In the end, Microsoft decided it wasn’t worth continuing development on its custom EdgeHTML engine. It announced late last year that it would rebuild Edge on top of Google’s open-source Chromium code. 

Microsoft launched the first builds of Chromium Edge in April, but those were the unstable canary and dev channels. Still, they were downloaded more than a million times, and Microsoft got over 140,000 pieces of feedback. Canary got updates every day, and the dev channel would get them weekly. The new beta release is the first one suitable for regular people. It gets major updates every six weeks, giving Microsoft time to ensure there are no show-stopping bugs rolling out to testers. 

Chromium Edge has all the features you’d expect from a browser in the beta channel. You can link your Microsoft account, install extensions, save passwords, and more. It looks more like Chrome than it does like the old Edge, but the theme fits better with Windows. The developers are so confident the beta is ready for use, Microsoft has made it part of its bug bounty program. Developers and researchers are free to probe the new browser for vulnerabilities and report them to Microsoft. A sufficiently severe flaw could net the discoverer up to $15,000. 

Right now, users still have to go looking for the updated Edge browser because it’s still technically a preview product. Eventually, Microsoft will add a stable channel to bundle with Windows. We don’t know when that will happen, though. Microsoft promised major feature additions like IE Mode and a unified privacy page at the Build conference in May. However, there’s no sign of those in the first beta release. Microsoft will probably want to run those through the beta channel before migrating everyone to the new browser via Windows updates. We’d bet on early 2020 availability for the stable channel.

Now read:




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something