- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 14 Oct 2009 18:06:03 +0200
- To: WSC WG public <public-wsc-wg@w3.org>
- Message-Id: <D19D7857-BD92-4EED-A4AB-F5C95C1368A2@w3.org>
I propose that in response to the latest Content Transformation Guidelines Draft, we indicate that we're happy with the resolution of our group's comments, namely: > 4.2.9.3 HTTPS Link Rewriting > > Note: > > For clarity it is emphasized that it is not possible for a > transforming proxy to transform content accessed via an HTTPS link > without breaking end-to-end security. > > Interception of HTTPS and the circumstances in which it might be > permissible is not a "mobile" question, as such, but is highly > pertinent to this document. The BPWG is aware that interception of > HTTPS happens in many networks today. Interception of HTTPS is > inherently problematic and may be unsafe. The BPWG would like to > refer to protocol based "two party consent" mechanisms, but such > mechanisms do not exist at the time of writing of this document. > > The practice of intercepting HTTPS links is strongly NOT RECOMMENDED. > > If a proxy rewrites HTTPS links, it must advise the user of the > security implications of doing so and mustprovide the option to > bypass it and to communicate with the server directly. > > Notwithstanding anything else in this document, proxies must not > rewrite HTTPS links in the presence of aCache-Control: no-transform > directive. > > If a proxy rewrites HTTPS links, replacement links must have the > scheme https. > > When forwarding requests originating from HTTPS links proxies must > include a Via header field as discussed under 4.1.6.1 Proxy > Treatment of Via Header Field. > > When forwarding responses from servers proxies must notify the user > of invalid server certificates. > Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 14 October 2009 16:06:11 UTC