W3C home > Mailing lists > Public > public-bpwg-ct@w3.org > November 2008

Re: [CTG] Draft 2008-11-07 / HTTPS link rewriting

From: Eduardo Casais <casays@yahoo.com>
Date: Tue, 11 Nov 2008 02:46:34 -0800 (PST)
To: Jo Rabin <jrabin@mtld.mobi>
Cc: public-bpwg-ct@w3.org
Message-ID: <524858.9366.qm@web45006.mail.sp1.yahoo.com>

> I don't think I agree. If a server doesn't want
> HTTPS links rewritten then it can prevent this happening by
> adding no-transform. Once a secure link is established
> it's moot as the proxy has no sight of that traffic.

> See above. The no-transform applies to the page with the
> original HTTPS link in -i.e. 1 - so 2 can't happen.

This is valid under the assumption that the first request -- the one to the page containing the original https URI -- is made to the same server, under the same transformation conditions. 

There is no way to ensure this is true. If the https URI is contained in a page returned from another server (e.g. a page of results from a search engine), which does not apply no-transform, then the situation I described may well occur: the URI is rewritten (search results page), the modified request is made to the server, and so on.

> And that is the Via header. It's not possible to find a
> Via header in an HTTPS connection that hasn't been
> intercepted. Francois has an action to discuss your earlier
> point with relevant folks.

All right, the case is still open.


Received on Tuesday, 11 November 2008 10:47:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:06:30 UTC