13-Feb-2009 10:55:00
by Tom Godber

Transcoders round 2

It has been incredibly busy pre-MWC and so I have not yet pulled together our research into mobile browser handling of SSL certificates (as promised when I described transcoders). However one piece of news inspired me to write an addendum – Novarra, a transcoder vendor, have now started offering a version of their transcoder for laptops using 3G dongles. Bill Ray isn’t certain about all the details, and Novarra still haven’t replied to my previous request for information so it is difficult to confirm anything, but I’ll restate the problem now and draw some possible conclusions from that.

The problem as it stands: transcoder vendors want to rewrite content to improve performance and accessibility of sites accessed through “mobile” connections. To do this for secure HTTPS sites, they insert themselves into the transaction quietly, breaking end-to-end encryption and creating a potential security hole – though if they are doing their job correctly it should be hard to exploit. More details here.

The transcoder vendors are asking the W3C to approve a new best practices guide which states that they will be allowed to insert themselves into an HTTPS connection, but if the server has set a special HTTP header they will immediately stop and allow end-to-end encryption to resume. If you’re interested in the politics WapReview have an excellent post covering them.

On the face of things the proposal sounds eminently reasonable. It isn’t.

One year ago Netcraft reported that there were 2,451,780 sites on the web responding to SSL (HTTPS) requests, 794,008 of which certificates verified by trusted third parties such as Verisign. Growth was nearly 40% year-on-year at that point, so we can assume there are at least 3m sites today, 1m of which are serious about their security.

There are approximately 5-15 transcoder vendors (that’s an educated guess – there are more than two and I can’t imagine there are as many as 20).

The vendors believe that for security to be guaranteed, the best thing to do is that they break the existing standard, and all 1m (or 3m) sites on the web must change their server configuration if they want to continue being secure. This agreement will be made by a committee of a few dozen people at W3C – no word yet on how widely it will be publicised, but the people publicising the process so far are largely outsiders who don’t like the sound of it.
Many might not care, because they don’t support mobile handsets directly and don’t plan to in the near future. The move to broaden transcoding into laptop connections may make those people think twice, especially when you consider that in the future WiMax and LTE will start to offer true broadband over the air and the entire nature of the internet connection industry will change and become more wireless.

It seems common sense to a layman: the 3+ million e-commerce sites, corporate intranets etc should be allowed to remain secure without having to change all of their configuration; the dozen or so transcoder vendors should honour the existing system. If it is neccessary to transcode HTTPS connections, this should be an opt-in service decided by each and every site, who should be given full explanations of the (minimal?) risks - because they have the burden of care to their users, adherance to banking/privacy regulations, etc.

Let’s hope the W3C make the right decision, but if you are concerned about this maybe it’s worth publicising it widely just in case?

Written by Tom Godber