Re: ACTION-893: Start putting together a set of guidelines that could help address the security issues triggered by links rewriting. from Luca Passani on 2009-01-18 (public-bpwg@w3.org from January 2009)

From: Luca Passani <passani@eunet.no>
Date: Sun, 18 Jan 2009 20:37:24 +0100
To: Mobile Web Best Practices Working Group WG <public-bpwg@w3.org>
Message-ID: <497384F4.1050005@eunet.no>
David Storey wrote:
>
>
> On 18 Jan 2009, at 17:12, Luca Passani wrote:
>
>>>>
>>>
>>> Wouldn't work.  Opera Mini only supports transcoded content.  
>>> Without it we'd have to show a screen saying "site not supported"  
>>> Not exactly good user experience, or what the user wants.
>>
>> right. Not a good user experience. But totally against what the 
>> content owner may want.
>
> Maybe, maybe not.

Maybe, maybe not. But it's the "maybe yes" part you need to care about. 
The fact that some sites are OK with Opera Mini breaking HTTPS does not 
mean that all sites are OK with OperaMini breaking HTTPS.

> The content owner probably wants their content to reach as wide a 
> audience as possible.

sure, but if they introduced HTTPS it means that security has priority 
over reaching the widest possible audience, or they wouldn't be using HTTPS.

> Our "state of the mobile web" reports (http://www.opera.com/smw/) show 
> that the most popular sites are social networking sites, and to some 
> extent e-mail.  Both need the user to log in via https.  All those 
> sites would just stop working.  Those sites would loose the 20+ 
> million  potential users.  We know of at least one major social 
> network that Opera Mini is a substantial portion of their daily hits. 
> They'd certainly not want us to cut off the users.

Very good. So what about starting maintaining a whitelist of sites which 
have explicitly approved that OperaMini interferes with HTTPS?
I wouldn't have a problem with that. And this would effectively make 
Opera a more ethical company than, say, Novarra and the others.


>
> Should a content owner be able to say users in the developing world 
> that can only access the web through a proxy based browser like Opera 
> Mini (the top countries for Opera Mini are dominated by developing 
> nations, and the main devices are regular feature phones, not advanced 
> smart phones). can't access their site?

Content owners may be made aware of the situation and they may agree to 
be whitelisted by OperaMini so that third-word countries can access 
their content.

> That sounds like discrimination to me.

yes, of course. Only in your wildest dreams can you get away with such a 
ridiculous excuse to justify abusive business practices.


>
>> If I make the effort to create an HTTPS site, it may well mean that I 
>> don't want anyone to interfere in the communication between me and 
>> the client, don't you think?
>
> Technically if the client is on the server, it is not strictly doing 
> this. 

technically not, practically yes. Anyway, it's also technically. 
OperaMini performs a man in the middle attack.

> The user requests the page from Opera, Opera requests and receives the 
> page from the site. Opera then sends the result (using SSL) to the 
> Mini client.  If you really wanted to, you could just block Opera Mini 
> by browser sniffing.

Most sites won't do that because they are not aware of what OperaMini 
is. I am sure that some sites will get there eventually. The problem is 
that you are breaking the web as a platform in the process by making 
development much more complicated and hard to test and maintain.

>
> I don't know the exact details of Opera Mini security, but we don't 
> store sensitive data.

An unfaithful employee might be monitoring and recording unencrypted 
sensitive data in the server memory.

>>
>>
>> After all, also waiting in line is not a good user-experience. Users 
>> have the right to complain about the long wait, or just vote with 
>> their feet and go somewhere else.
>
> Sometimes there is no option to go elsewhere.  There are sites where 
> you only have one option (example: government sites, local authority, 
> etc.)

Whitelist them.


>
>> They do not have the right to walk behind the counter and help 
>> themselves (i.e. break HTTPS).
>>
>>>  If a browser supports both regular html and transcoded content then 
>>> I personally fully agree, but otherwise we need to serve the content.
>>
>> again, you don't need to. You want to. And you do it with the hope 
>> that nobody gets seriously mad at what you are doing.
>
> Well it wouldn't be called a browser if it couldn't serve the majority 
> of what the user requests, so yes we need to.

the majority of what users request is not HTTPS. A large chunk, but not 
the majority. So, no, you don't need to.

Luca
Received on Sunday, 18 January 2009 19:38:04 UTC