This document:Public document·View comments·Disposition of Comments·
Nearby:Mobile Web Best Practices Working Group Other specs in this tool Mobile Web Best Practices Working Group's Issue tracker
Quick access to LC-1995 LC-1996 LC-1997 LC-1998 LC-1999 LC-2000 LC-2001 LC-2002 LC-2003 LC-2004 LC-2005 LC-2006 LC-2007 LC-2008 LC-2009 LC-2010 LC-2011 LC-2012 LC-2013 LC-2014 LC-2015 LC-2016 LC-2017 LC-2018 LC-2019 LC-2020 LC-2021 LC-2022 LC-2023 LC-2024 LC-2025 LC-2026 LC-2027 LC-2028 LC-2029 LC-2030 LC-2031 LC-2032 LC-2033 LC-2034 LC-2036 LC-2037 LC-2038 LC-2039 LC-2040 LC-2041 LC-2042 LC-2043 LC-2044 LC-2045 LC-2046 LC-2047 LC-2048 LC-2049 LC-2050 LC-2051 LC-2052 LC-2053 LC-2054 LC-2064 LC-2065 LC-2066 LC-2067 LC-2068 LC-2069 LC-2070 LC-2071 LC-2072 LC-2073 LC-2074 LC-2075 LC-2076 LC-2077 LC-2078 LC-2079 LC-2080 LC-2081 LC-2082 LC-2083 LC-2084 LC-2085 LC-2089 LC-2090 LC-2091 LC-2097
Previous: LC-2030 Next: LC-2031
4.3.6.2 I think the Note here is a good one, but may be worth expanding, since it is apparently already unclear to some how HTTPS works here. The very purpose of HTTPS is to ensure that content is not modified or read by third parties in transit, which means a transforming proxy cannot jump into an HTTPS conversation between mobile device and origin server. So there's not actually a question of whether it's illegal or unethical -- it's simply not possible (unless you have cracked SSL). It can only create a secure connection between the mobile device and itself, and between itself and the origin server. This is indeed a situation that the end user needs to understand: I suggest wording along these lines, take it or leave it as you see fit -- URIs which begin with the https scheme, when accessed, are secured against eavesdropping and modification by third parties by the SSL protocol. It is therefore not possible for a third-party transforming proxy to participate directly in such a connection between mobile device and origin server. Transforming proxies may still transform content of https resources, but at best, it involves creating a separate secure connection between device and proxy, and between proxy and origin server. These communications are secure but the secured content is of course visible to the transforming proxy. This may of course be undesirable to an end user. Therefore if a proxy rewrites https links, replacements links MUST at least use the https scheme as well, and the proxy MUST use https to communicate with the origin server. In addition the proxy MUST clearly advise the user that the potentially sensitive contents of the communication will be visible to the proxy, and must give the user an option to opt out.