Proposed Web protocol sparks tampering fears

From...

By Carolyn Duffy Marsan

(IDG) -- A proposal to create a standard communications protocol that would let Internet devices automatically personalize, translate or otherwise adapt Web pages in useful ways is generating strong criticism in the Internet engineering community because it also could be used to tamper with Web content.

Dubbed Open Pluggable Edge Services (OPES), the proposal envisions a new class of Web services similar to content delivery networks (CDN) and caching systems, which speed the delivery of Web pages. OPES devices would be attached to these systems to provide Web publishers with add-on features, such as reducing the size of Web pages to fit handheld devices or slowing multimedia streams for low-bandwidth connections.

Companies promoting OPES include AT&T, Lucent, Novell, Intel, CacheWare and CacheFlow. These companies want to develop an industry standard to ensure that OPES devices from different vendors can communicate with each other across the Internet.

OPES supporters held a meeting in London last week to try to persuade the Internet Engineering Task Force (IETF) to create a working group to pursue their concept.

While the OPES proposal sounds benign, it is controversial within the IETF community because OPES devices could be used to change Web content without the approval or knowledge of Web publishers. OPES critics also say the concept breaks the revered end-to-end architecture of the Internet by letting intermediary systems intervene in communications.

"The problem with the OPES group was that it appeared to be developing a mechanism to make it easy for unauthorized third parties to modify content in transit -- say by ISPs to insert advertisements," says Keith Moore, an outspoken critic of OPES and former director of the IETF's Applications Area.

IDG.net INFOCENTER NWFusion main page Network World Fusion's product reviews Net.Worker: Resources for teleworkers Free daily newsletters Related IDG.net Stories Experts call MPLS bad for Net Meet SIMPLE IETF stops work on VPN protocol Features Network security begins at home Any port is a hacker storm DSL bloodbath continues Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

"The proposed OPES charter has since been modified to clarify that the parties that modify content do require explicit authorization," Moore adds. "However, there are still indications that some OPES proponents are wanting to standardize an interface [by] which unauthorized modifications can be made."

After the IETF leadership announced in June that an OPES working group was proposed, the group's mailing list was flooded with negative messages, including one that called OPES "evil incarnate."

The Center for Democracy and Technology recently entered the fray, sending a letter to the IETF's external liaison and Network World columnist Scott Bradner outlining the advocacy group's concern that OPES would create an open standard for the unauthorized manipulation of Web content.

IETF leaders say OPES has been criticized unfairly as creating transparent interceptors, when in fact the group's goal is to create devices that only modify Web content with the permission of Web publishers, CDN providers or ISPs.

"What OPES is about isn't evil intermediaries," says Harald Alvestrand, chair of the IETF. Instead, OPES sets up specialized boxes called proxies that off-load functions from Web servers or clients, and these proxies "do interesting things," he says.

The IETF leadership is expected to decide as early as this week whether to create an OPES working group.

"I think we have an understanding [among the IETF leadership] that OPES is a tool that we expect people to use reasonably, so it's reasonable to do," Alvestrand says.

Central to the debate over OPES is the reality that between a typical Web server and an end user are many interim devices, including caching systems and CDNs.

Most Web pages are generated on the fly using information culled from different databases and content providers.

OPES is a framework that would let these interim devices further customize Web pages using proxies. These proxies would be connected to Web servers, CDNs, ISP cache arrays or Web browsing clients.

OPES proponents say their boxes would be under the control of Web publishers or would provide services that Web publishers request. Both the Web publisher and service provider would develop rules that specify when and how to execute OPES services.

"What OPES is trying to do is standardize one of the plugs that fits into the overall Web architecture," says Ned Freed, a director of the IETF's Applications Area.

"The problem is that you could put that plug on an unauthorized service," he adds.

He says the IETF ought to develop the OPES concept with built-in security measures rather than letting the marketplace create its own OPES-like products.

"My belief is that standardization and control of OPES is better than [the alternative]," Freed says.