W3C home > Mailing lists > Public > public-bpwg-comments@w3.org > July to September 2008

Re: Comments on Content Transformation Guidelines?

From: Sean Owen <srowen@google.com>
Date: Tue, 5 Aug 2008 09:38:34 -0400
Message-ID: <e920a71c0808050638j11781c8bn4a5b26d7e23a4274@mail.gmail.com>
To: "Luca Passani" <passani@eunet.no>
Cc: public-bpwg-comments@w3.org

On Tue, Aug 5, 2008 at 3:56 AM, Luca Passani <passani@eunet.no> wrote:
> reality is that something as devious as transcoders were not even
> coinceivable when the proxyes were defined. We are talking about a tool
> which captures and transform content it has no right too. So, the fact that
> HTTP was not devised with a feature that prevented transcoders from stealing
> content, does not mean that it is OK to do so. Thousands of developers
> around the planet think it is not.

OK, just a reply to your comment that this was somehow subverting
HTTP. I think HTTP is prepared for proxies, even transforming proxies
(no-transform directive, anyone)? Julian rightly points out my
specific example is deprecated, and may not have been intended for the
context of transforming proxies. I think it's beside the point anyway,
just suggesting this is not somehow completely unintended in HTTP,
because, well it obviously isn't.

> it's no longer end2end

It is, but, the ends are the bank and the transcoder. I think that's
my central point. Yep, if you don't understand this setup, that's bad.
The transcoder shouldn't be involved unless you understand it's now
part of "you", your "end" in this "end to end" security. end2end ends

> this to me is like: I am a legitimate customer of a bank. The bank wants me
> to go through the main door (they have anti-rob security there), but someone
> will open a secondary door for me. Since I am a legitimate user of the bank,
> using the secondary door is no big deal......ermmmm...not quite. This is not
> how it is supposed to work.

Well you have some valid analogies to the real world. For example,
even if I want to let my wife go in and take out a loan on my behalf,
the bank won't let me, even if I say, yeah, she's my agent. A bank
might rightly say, no, I just don't want to allow this -- similarly, I
don't want to be accessed through a transcoder.

This is where I think it's good that someone is trying to write down a
protocol for saying "I'm a transcoder" (and why I think preserving
User-Agent is bad) and "OK please don't transcode".

Prohibiting transcoding of all HTTPS links would sure solve the bank
problem, but, would throw the baby out with the bathwater. More than
just banks use HTTPS. I don't think it's logical to say all such uses
of HTTPS can't be transcoded (e.g. a forum site) since that harms end

I do think it's logical for banks to want ways to prohibit transcoding
if they choose, or users to do so. I'm not sure if you agree.. but I
hope you do given your emphasis on individual control over their
online experience.

> Yes. This is one way to put it. When it comes to security, users need to be
> protected from themselves. And I am amazed at how you are failing to agree
> with this.

It seems a bit paternalistic to write down as a serious
recommendation. It'd be like Mozilla never accepting an expired SSL
certificate. I mean, yeah, it would have a point. It's trying to save
you from doing something that's technically sort of bad,
security-wise. But if I'm sitting there trying to get to my bank (who
should be shamed for not updating that cert!) and Mozilla is just
refusing to let me go ahead and accept the situation and proceed...
I'd be upset. You would too.

Same here. Yeah, I am all for crystal clear warnings. Just not for
forcing a decision on people.

>> Gosh, it seems extreme to say this content should just never be
>> accessible to mobile users.
> which is not what I said. The content should not be available unless the
> content owner decides that it should in fact be available and build a mobile
> UI for it.

OK, that's a lot of burden on the mobile site developer, and harms the
end user. I can only say that if you were in the business of bringing
info to people, you would likely not feel the same way. As you're not,
you can take another position. I am just offering an informed
perspective for you to do with as you like.

> Who are the 19 people? I talk to developers each day. I would say that 95%
> or more think you have done a poor job by not protecting mobile content
> enough against abusive trascoders.

I meant the group, but, also nobody I work with agrees with you.
You could say, sure, but you just represent the Big Transcoder lobby.
By the same token you represent one piece of the puzzle too. That's
why I like forums where everyone can try to find some common ground
here. Not sure if we're getting anywhere but at least there is
something like a discussion going on.
Received on Tuesday, 5 August 2008 13:39:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:01:50 UTC