- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Sat, 28 Sep 2013 01:58:33 +1200
- To: ietf-http-wg@w3.org
On 28/09/2013 12:13 a.m., Eliot Lear wrote: > The no-transform directive forever has said that proxies MUST NOT > touch payload. > > Situation: > > Suppose there is malware on a web site and a proxy resides between the > client and server. > > Questions: > > 1. Why would the malware distributor NOT want to issue the > no-transform directive? After all, they don't want their malware > removed. > 2. Why would a proxy honor the directive, knowing that there is malware? > > > My point: I wonder if the MUST is a bit too strong or whether a caveat > should be added around this. (Maybe there is such a caveat and I've > just missed it?) > > Eliot > I was introduced to the no-transform directive by its use on a hospital network. The medical teams exchanged TIFF files and other very high resolution imagery, which simply *had* to be at that high resolution to identify and highlight the fine-grained pixels representing diseases or unidentified abnormalities. It surprised me how many off the shelf products even in such a sealed environment as a hospital take it upon themselves to "optimize" bandwidth by reducing such imagery into JPG/GIF/PNG or such. I have since also seen it in use on satellite imagery and my own clients in the movie making industry send images and videos across the web using it for very similar reasons. Although for these clients it is not firewalls and desktop AV scanner proxies doing the optimizing, but mobile teleco and national level proxies. There is not a requirement to deliver the infected payload anywhere - only a prohibition on delivering a modified copy. AV scanners have the option of replacing the entire HTTP reply with a 500 status response indicating the problem for manual intervention when no-transform prohibits fixing the issue silently. I would say MUST is about the right level of severity on that one. Amos
Received on Friday, 27 September 2013 13:59:06 UTC