Re: ACTION-893: Start putting together a set of guidelines that could help address the security issues triggered by links rewriting.

David Storey wrote:
>
> On 20 Jan 2009, at 12:59, Luca Passani wrote:
>
>>
>>
>> >> If anything, your reasoning supports the solutions I explained to
>> >>  David yesterday: since someone may be OK with transcoders
>> >>  breaking HTTPS for a good reason, go and ask site owners
>> >>  whether they accept the idea that a transcoder decrypts and
>> >>  re-encrypts HTTPS. Do this and we are all happy.
>> >
>> > I would be happy too. But this solution is not viable. It does not 
>> scale.
>>
>> Absolutely false. This solution is totally viable. Don't take Opera's 
>> word for it: Just track the top 200 sites which require HTTPS login 
>> in your system (which covers 95%+ of the traffic), contact the site 
>> owner to get approval and off you go. Very viable. Also create a 
>> process by which  content owners can add their sites to the whitelist 
>> (of course, they'll need to prove who they are).
>
> It is quite obvious you don't deal with such stuff.  My main job at 
> Opera is site compatibility, and working with web sites to fix issues 
> in Opera.  We contact sites day in, day out.  Just getting replies 
> from 200 sites (which is a tiny fraction of those using SSL) would 
> take best part of a year, probably more, never mind getting past the 
> support person, to someone that knows what one is talking about, then 
> finding a manager that can make a decision, then coming to consensus.
>
> I'm not sure where you get the covers 95%+ of the traffic either.  
> That is not true.

you misread my email, Dave. I talked about top 200 sites which use 
secure login. This would mean, say, 200 out of your top 2000 websites. I 
am sure that the top 2000 websites cover over 90% of your traffic.

And yes, you may need to hire someone to do the job,  and yes, the task 
may well take 6 months. So what? I find it very unethical to dump the 
cost of proper development  on the ecosystem. It's not very different 
from those who dump garbage by night in the countryside, rather than 
doing it properly and paying the environmental tax that comes with it.

 Luca

Received on Tuesday, 20 January 2009 13:17:14 UTC