A Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the Web
- HTTP client hints are a set of standardized HTTP request headers designed to modernize and potentially replace the traditional user agent string. While the user agent string exposes a wide range of information about the client's browser and device, client hints provide a controlled and structured approach for clients to selectively disclose their capabilities and preferences to servers. Essentially, client hints aim at more effective and privacy-friendly disclosure of browser or client properties than the user agent string. We present a first long-term study of the use of HTTP client hints in the wild. We found that despite being implemented in almost all web browsers, server-side usage of client hints remains generally low. However, in the context of third-party websites, which are often linked to trackers, the adoption rate is significantly higher. This is concerning because client hints allow the retrieval of more data from the client than the user agent string provides, and there are currently no mechanisms for users to detect or control this potential data leakage. Our work provides valuable insights for web users, browser vendors, and researchers by exposing potential privacy violations via client hints and providing help in developing remediation strategies as well as further research.
Download full text files
postprint version
Additional Services
Statistics
| Document Type: | Conference Object |
|---|---|
| Language: | English |
| Author: | Stephan Wiefling, Marian Hönscheid, Luigi Lo Iacono |
| Parent Title (English): | The 19th International Conference on Availability, Reliability and Security (ARES 2024), July 30-August 2, 2024, Vienna, Austria |
| Article Number: | 4 |
| First Page: | 1 |
| Last Page: | 12 |
| URN: | urn:nbn:de:hbz:1044-opus-83218 |
| DOI: | https://doi.org/10.1145/3664476.3664478 |
| Publisher: | Association for Computing Machinery |
| Place of publication: | New York, NY, United States |
| Publishing Institution: | Hochschule Bonn-Rhein-Sieg |
| Date of first publication: | 2024/05/23 |
| Copyright: | © 2024 Copyright held by the owner/author(s). Publication rights licensed to ACM. This is the author’s version of the work. It is posted here for your personal use. |
| Keywords: | HTTP client hints; privacy; risk-based authentication; security; tracking; web measurement |
| Departments, institutes and facilities: | Fachbereich Informatik |
| Institut für Cyber Security & Privacy (ICSP) | |
| Dewey Decimal Classification (DDC): | 0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 005 Computerprogrammierung, Programme, Daten |
| Entry in this database: | 2024/05/23 |
| Licence (Multiple languages): |  In Copyright (Urheberrechtsschutz) |
