W3C home > Mailing lists > Public > public-bpwg@w3.org > January 2009

Re: ACTION-893: Start putting together a set of guidelines that could help address the security issues triggered by links rewriting.

From: Jose Alberto Fernandez <jalberto@cellectivity.com>
Date: Tue, 20 Jan 2009 14:52:34 -0000
Message-ID: <3AAB09AEC806CB469174F8CC39E5781801D2158E@lonex01.Cellectivity.local>
To: <public-bpwg@w3.org>
Tom Hume wrote:


> Personally I would say that a CP using HTTPS has stated they wish to 
> have their service accessed securely, but not that they're opting out 
> of transcoding by doing this. 


Either you are taking the Mickey out of everyone on the list or you
never learn about what SSL is or means. An SSL connection is an
encrypted connection between to servers. Requiring sending some header
on the connection in order to decide whether the connection can be snoop
on or changed in any manner requires that you snoop on the connection to
start with, which means that you would be violating the confidentiality
of the communication in order to know whether you are allowed to break
the confidentiality of the communication.


Second, it is not a question of not being allowed. It is a question of
not being possible to snoop on the SSL tunnel. So the only way you have
is to break the tunnel before you even know what the tunnel is all
about. Which bring us back to the question of transcoding requests or
documents? The only way to inform a gateway whether I allow an HTTPS
reference to be snoop on, is by specifying it on the document containing
the link. But as you have already decided, from what I read on the
minutes, you do not allow the resources of one document to be affected
by the options specified on it. Meaning that even if I say I do not want
my document transformed, you seem to believe that does not disallow you
from transforming its resources (i.e. the referenced HTTPS document).


So you see, every decision you are taking only works to makes matters
even worst for everyone involved (well, except for the transcoder


Jose Alberto


Received on Tuesday, 20 January 2009 14:50:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:09:53 UTC