Re: ACTION-893: Start putting together a set of guidelines that could help address the security issues triggered by links rewriting. from Luca Passani on 2009-01-18 (public-bpwg@w3.org from January 2009)

From: Luca Passani <passani@eunet.no>
Date: Sun, 18 Jan 2009 16:42:16 +0100
To: Mobile Web Best Practices Working Group WG <public-bpwg@w3.org>
Message-ID: <49734DD8.1040103@eunet.no>

David Storey wrote:
>
> This is not strictly true, in that you still have to trust the 
> client.  One could say you can't trust Opera Mini as it doesn't have 
> end to end SSL, but on a regular browser the SSL is obviously 
> decrypted on the client.  That client (say Opera desktop) could just 
> as easy do something malicious with the private data if the vendor 
> wasn't trustworthy.  I guess there would be an additional step in 
> phoning home to return the data to the mother ship though.

David, I suspect you are changing subject in a subtle way here. HTTPS is 
about end2end security. We are talking about whether there are 
legitimate scenarios to break end2end secure communications established 
by two entities...or NOT.

Can a user's PC be hacked and the sensitive information contained in it 
be stolen as a consequence of it? yes, fully possible.
Can Opera create a browser which will collect and send credit card info 
to a secret server in Russia? unlikely, but possible.
Can a server be broken into by hackers who acquire loads of credit card 
numbers as well as other sensitive info? yes. Also fully possible.

But this is not what we are talking about here.

>
> In short I think you have to trust the proxy vendor as much as you 
> trust the client vendor.
A web browser on my desktop I can patch or replace at will. The same 
cannot obviously be said of transcoders, the existence of which most 
people ignore.

> I guess one difference is that certain proxies the end user chooses to 
> use, such as by downloading and using Opera Mini, but it is a 
> different ball game for proxies that operators push on the user 
> without them selecting it (i.e. given to all mobile browsers).  I 
> think the former is fine but not so much the latter.

I think they are both wrong. But since OperaMini tends to be "opt-in" by 
nature, it does not bother the rest of the ecosystem as much as the 
others. FYI, Opera partnered with ByteMobile, which leverages Opera's 
technology to reformat websites exactly as Novarra and all the others 
(look at Voda Ireland, for example). Glad to hear that Opera does not 
like this model.

>
> In regard to the no transform header; this can't work for solutions 
> such as Opera Mini, where they only support using a proxy.

I think OperaMini should stop transcoding HTTPS content
.
Luca

Received on Sunday, 18 January 2009 15:42:55 UTC