W3C home > Mailing lists > Public > public-bpwg-comments@w3.org > July to September 2008

Re: Comments on Content Transformation Guidelines?

From: Luca Passani <passani@eunet.no>
Date: Mon, 04 Aug 2008 23:06:14 +0200
Message-ID: <48976F46.6010801@eunet.no>
To: public-bpwg-comments@w3.org

Having look at the conversation you are having here, I think there are 
conflicting information about how HTTPS is handled by transcoding 
servers. I understand that not all transcoders work the same, but some 
do perform a man-in-the-middle-attack, and IMO this should not be 
endorsed by the W3C guidelines.

The way many transcoders work is that they run instances of real web 
browsers (talking about tens or hundreds of Internet Explorer instances 
running in the memory of the server here). This means that there is no 
way for content owners to protect against transcoders simply because the 
server is talking to a legitimate web browser, exchanging real 
certificates, logging-in with real passwords, establishing secure SSL 
connetions and all the rest.

The point of the Content Transformation Guidelines seems to be "some users may want to continue using the service at the cost of degrading 
security". Well, this is not up to the user to decide, I am afraid. 
HTTPS is also about non-repudiation and the fact that users must not be able to say "I did not do it" at a later stage. The fact that 
transcoders have found a technical way to by-pass HTTPS security does not mean that they have the right to do it. Nor does it mean that 
end-users can take advantage of it.

Received on Monday, 4 August 2008 21:06:54 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:01:50 UTC