W3C home > Mailing lists > Public > public-bpwg-comments@w3.org > July to September 2008

Re: Comments on Content Transformation Guidelines?

From: Jo Rabin <jrabin@mtld.mobi>
Date: Mon, 04 Aug 2008 22:37:17 +0100
Message-ID: <4897768D.6000604@mtld.mobi>
To: Luca Passani <passani@eunet.no>
CC: public-bpwg-comments@w3.org

 > do perform a man-in-the-middle-attack, and IMO this should not be
 > endorsed by the W3C guidelines.

The W3C Content Transformation Guidelines don't endorse Content 
Transformation, period. Specifically they don't endorse interception of 
HTTPS.

 > security". Well, this is not up to the user to decide, I am afraid.

That's not so, in my view. It's up to the user and the content provider 
to accept that they are willing to communicate over what may be a 
compromised channel. Neither of them has to accept that, both of them 
need to know that the channel is compromised, if it is.

Jo

On 04/08/2008 22:06, Luca Passani wrote:
> 
> 
> Having look at the conversation you are having here, I think there are 
> conflicting information about how HTTPS is handled by transcoding 
> servers. I understand that not all transcoders work the same, but some 
> do perform a man-in-the-middle-attack, and IMO this should not be 
> endorsed by the W3C guidelines.
> 
> The way many transcoders work is that they run instances of real web 
> browsers (talking about tens or hundreds of Internet Explorer instances 
> running in the memory of the server here). This means that there is no 
> way for content owners to protect against transcoders simply because the 
> server is talking to a legitimate web browser, exchanging real 
> certificates, logging-in with real passwords, establishing secure SSL 
> connetions and all the rest.
> 
> The point of the Content Transformation Guidelines seems to be "some 
> users may want to continue using the service at the cost of degrading 
> security". Well, this is not up to the user to decide, I am afraid. 
> HTTPS is also about non-repudiation and the fact that users must not be 
> able to say "I did not do it" at a later stage. The fact that 
> transcoders have found a technical way to by-pass HTTPS security does 
> not mean that they have the right to do it. Nor does it mean that 
> end-users can take advantage of it.
> 
> Luca
> 
> 
> 
> 
Received on Monday, 4 August 2008 21:38:22 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:01:50 UTC