- From: Jo Rabin <jrabin@mtld.mobi>
- Date: Mon, 04 Aug 2008 22:37:17 +0100
- To: Luca Passani <passani@eunet.no>
- CC: public-bpwg-comments@w3.org
> do perform a man-in-the-middle-attack, and IMO this should not be > endorsed by the W3C guidelines. The W3C Content Transformation Guidelines don't endorse Content Transformation, period. Specifically they don't endorse interception of HTTPS. > security". Well, this is not up to the user to decide, I am afraid. That's not so, in my view. It's up to the user and the content provider to accept that they are willing to communicate over what may be a compromised channel. Neither of them has to accept that, both of them need to know that the channel is compromised, if it is. Jo On 04/08/2008 22:06, Luca Passani wrote: > > > Having look at the conversation you are having here, I think there are > conflicting information about how HTTPS is handled by transcoding > servers. I understand that not all transcoders work the same, but some > do perform a man-in-the-middle-attack, and IMO this should not be > endorsed by the W3C guidelines. > > The way many transcoders work is that they run instances of real web > browsers (talking about tens or hundreds of Internet Explorer instances > running in the memory of the server here). This means that there is no > way for content owners to protect against transcoders simply because the > server is talking to a legitimate web browser, exchanging real > certificates, logging-in with real passwords, establishing secure SSL > connetions and all the rest. > > The point of the Content Transformation Guidelines seems to be "some > users may want to continue using the service at the cost of degrading > security". Well, this is not up to the user to decide, I am afraid. > HTTPS is also about non-repudiation and the fact that users must not be > able to say "I did not do it" at a later stage. The fact that > transcoders have found a technical way to by-pass HTTPS security does > not mean that they have the right to do it. Nor does it mean that > end-users can take advantage of it. > > Luca > > > >
Received on Monday, 4 August 2008 21:38:22 UTC