- From: Luca Passani <passani@eunet.no>
- Date: Mon, 04 Aug 2008 23:06:14 +0200
- To: public-bpwg-comments@w3.org
Having look at the conversation you are having here, I think there are conflicting information about how HTTPS is handled by transcoding servers. I understand that not all transcoders work the same, but some do perform a man-in-the-middle-attack, and IMO this should not be endorsed by the W3C guidelines. The way many transcoders work is that they run instances of real web browsers (talking about tens or hundreds of Internet Explorer instances running in the memory of the server here). This means that there is no way for content owners to protect against transcoders simply because the server is talking to a legitimate web browser, exchanging real certificates, logging-in with real passwords, establishing secure SSL connetions and all the rest. The point of the Content Transformation Guidelines seems to be "some users may want to continue using the service at the cost of degrading security". Well, this is not up to the user to decide, I am afraid. HTTPS is also about non-repudiation and the fact that users must not be able to say "I did not do it" at a later stage. The fact that transcoders have found a technical way to by-pass HTTPS security does not mean that they have the right to do it. Nor does it mean that end-users can take advantage of it. Luca
Received on Monday, 4 August 2008 21:06:54 UTC