Re: [EME] Mitigating the impact of HTTPS on content providers from David Dorwin on 2014-10-24 (public-html-media@w3.org from October 2014)

From: David Dorwin <ddorwin@google.com>
Date: Fri, 24 Oct 2014 15:59:08 -0700
To: "Jerry Smith (WINDOWS)" <jdsmith@microsoft.com>
Cc: "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <CAHD2rsg2kQnD6nBz-jpdFVjVrQrGpzhRVbhkMGgxSyWus-dvaA@mail.gmail.com>

On Fri, Oct 24, 2014 at 3:37 PM, Jerry Smith (WINDOWS) <
jdsmith@microsoft.com> wrote:

>  We believe that Intranets should not be mandated to run https.  Perhaps
> we should consider an exclusion for it.
>

The current text uses authenticated origin
<http://www.w3.org/TR/mixed-content/#authenticated-origin>. I believe
Intranets would fall under private origin
<http://www.w3.org/TR/mixed-content/#private-origin>. We can discuss the
risks with experts in this area.

>
>
> Implicit in temporarily allowing mixed MSE content Is an assumption that
> performance concerns (raised previously) can be resolved and the temporary
> exception can expire.  Is there a rationale that suggests the performance
> issues will be overcome anytime soon?
>

In https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332#c88, Mark said:

> Suffice to say, for the moment, that the costs associated with simply enabling HTTPS are very significant. A managed migration, at a reasonable pace with time for software and hardware optimizations to be developed and deployed, has a different, lower, cost.
>
> That seems to imply that even his performance concerns can be addressed.


>
>
> Jerry
>
>
>
> *From:* David Dorwin [mailto:ddorwin@google.com]
> *Sent:* Friday, October 24, 2014 9:54 AM
> *To:* public-html-media@w3.org
> *Subject:* [EME] Mitigating the impact of HTTPS on content providers
>
>
>
> The main objection to requiring secure origins for some or all key systems
> seems to be the impact this would have on content providers using MSE -
> mixed content restrictions would require them to also serve the encrypted
> media streams from a secure origin. While there is still some debate as to
> the actual impact, I'd like to start a brainstorm and discussion of ideas
> on how we might reduce the (immediate) impact on content providers while
> enabling user agents to require secure origins (in a reasonable timeframe).
>
>
>
> Here are some ideas to start the brainstorming. (I don't necessarily
> support any of them at this point.)
>
>    1. Define a flag day by which HTTPS must be supported/required.
>
>
>     1. See http://lists.w3.org/Archives/Public/www-tag/2014Oct/0100.html.
>       2. There might be some sort of timeline / phased-in transition.
>
>
>     1. For example, ramping up the amount of HTTPS traffic.
>
>
>    1. Temporarily allow Mixed Content XHRs to be provided to MSE when EME
>    is in use.
>
>
>     1. Non-secure XHR responses passed to MSE would temporarily be
>       considered Optionally-blockable Content like normal video.src content.
>       2. Given a choice, securing EME is probably more important than
>       preventing use of mixed content with MSE. (The alternative seems to be that
>       none of the bytes are secure.)
>       3. We would need to consider the security implications.
>       4. This exception would be eventually be phased out as in #1.
>       5. I'm not sure how practical this would be for implementions.
>
>
>    1. Establish an informal flag day, such as an agreement among major
>    browser vendors and/or content providers.
>
>
>     1. The goal would be to prevent content providers from segmenting the
>       platform by refusing to support user agents that choose to require HTTPS.
>       (See the second to last paragraph in
>       http://lists.w3.org/Archives/Public/www-tag/2014Oct/0096.html.)
>
>
>
> David
>

Received on Friday, 24 October 2014 22:59:57 UTC