Re: ACTION-893: Start putting together a set of guidelines that could help address the security issues triggered by links rewriting. from David Storey on 2009-01-18 (public-bpwg@w3.org from January 2009)

From: David Storey <dstorey@opera.com>
Date: Sun, 18 Jan 2009 21:34:03 +0100
To: Luca Passani <passani@eunet.no>
Cc: Mobile Web Best Practices Working Group WG <public-bpwg@w3.org>
Message-Id: <02E9A867-5D52-47A6-A63F-8BBE1C09C8F6@opera.com>
On 18 Jan 2009, at 20:37, Luca Passani wrote:

>
> David Storey wrote:
>>
>>
>> On 18 Jan 2009, at 17:12, Luca Passani wrote:
>>
>> The content owner probably wants their content to reach as wide a  
>> audience as possible.
>
> sure, but if they introduced HTTPS it means that security has  
> priority over reaching the widest possible audience, or they  
> wouldn't be using HTTPS.

The users information is kept as secure using Opera Mini, as a regular  
browser, IMHO.  Whether all proxies or proxy based browsers are run by  
trust worthy companies is a matter for debate that I'm not willing to  
go into.
>
>
>> Our "state of the mobile web" reports (http://www.opera.com/smw/)  
>> show that the most popular sites are social networking sites, and  
>> to some extent e-mail.  Both need the user to log in via https.   
>> All those sites would just stop working.  Those sites would loose  
>> the 20+ million  potential users.  We know of at least one major  
>> social network that Opera Mini is a substantial portion of their  
>> daily hits. They'd certainly not want us to cut off the users.
>
> Very good. So what about starting maintaining a whitelist of sites  
> which have explicitly approved that OperaMini interferes with HTTPS?
> I wouldn't have a problem with that. And this would effectively make  
> Opera a more ethical company than, say, Novarra and the others.

There are far too many sites using HTTPS to make this a viable  
solution.  Just getting in touch with all those sites would be near  
impossible.  A blacklist may work.  We'd also end up with no users  
left while we waited for just the popular sites to get back to us with  
an answer. Never mind the long tail.


>
>
>
>>
>>
>>> If I make the effort to create an HTTPS site, it may well mean  
>>> that I don't want anyone to interfere in the communication between  
>>> me and the client, don't you think?
>>
>> Technically if the client is on the server, it is not strictly  
>> doing this.
>
> technically not, practically yes. Anyway, it's also technically.  
> OperaMini performs a man in the middle attack.

I think we have to agree to disagree.
>
>
>> The user requests the page from Opera, Opera requests and receives  
>> the page from the site. Opera then sends the result (using SSL) to  
>> the Mini client.  If you really wanted to, you could just block  
>> Opera Mini by browser sniffing.
>
> Most sites won't do that because they are not aware of what  
> OperaMini is. I am sure that some sites will get there eventually.  
> The problem is that you are breaking the web as a platform in the  
> process by making development much more complicated and hard to test  
> and maintain.

I'm not sure how this is the case.  Most sites that work in Opera will  
work out of the box with Opera Mini.  Additional testing is mostly  
just having another browser to test against.  The main difference from  
a developers angle is the JavaScript restrictions caused by a client  
server architecture, as highlighted at http://dev.opera.com/articles/view/javascript-support-in-opera-mini-4/

As a full browser wouldn't fit on many of these phones it is allowing  
the web in places where it wouldn't be able to reach, rather than  
breaking it imho.
>
>
>>
>> I don't know the exact details of Opera Mini security, but we don't  
>> store sensitive data.
>
> An unfaithful employee might be monitoring and recording unencrypted  
> sensitive data in the server memory.

A hacker may be doing the same on your desktop PC.  Internal policies  
would quickly find out if this was the case (and much faster than a  
regular user would find out if their computer had been hacked).
>
>
>>>
>> Well it wouldn't be called a browser if it couldn't serve the  
>> majority of what the user requests, so yes we need to.
>
> the majority of what users request is not HTTPS. A large chunk, but  
> not the majority. So, no, you don't need to.

Any site that requires a log i would not work. That is a big  
percentage of the top ten sites in the top 10 markets for Opera Mini.   
Any proxy based solution needs to support logging into sites. That is  
commercial and user experience reality.

If there was another way then fine, but currently there isn't.
>
>
> Luca
>
>

David Storey

Chief Web Opener,
Product Manager Opera Dragonfly,
Consumer Product Manager Opera Core,
W3C Mobile Web Best Practices Working Group member

Consumer Product Management & Developer Relations
Opera Software ASA
Oslo, Norway

Mobile: +47 94 22 02 32
E-Mail: dstorey@opera.com
Blog: http://my.opera.com/dstorey
Received on Sunday, 18 January 2009 20:34:44 UTC