To make a more Open Internet

Few days ago, Microsoft released Internet Explorer 9 Beta, which intended to make a More Beautiful Web. It’s a really good thing for everyone: users, developers, and for a Open Net.

However, the Open Net are not means JUST open and unique Standard (what W3C are working for.). It also means FREE (both as free speech, free bear and free circulation of information), secure, no censorship, distributed and decentralized, creative, and end-to-end principle. That means, the Internet should be ALWAYS without borders, no country attributes, available to everyone, and transported ENCRYPTED between end point and end point. Everyone of humanity will benefit from such a Internet, and the Internet will change us, our civilization, our culture, out science, our society. Eventually, it will make a ALL new open Beautiful World of Humanity.
We are not talking of China!
Unfortunately, since a few days ago we have seen thing that are not so good this way happened in more and more countries, from Internet censorship to threaten of blocking secure mobile email communication. (And we are even not talking of China or North Korea!). Are the world becoming more and more EVIL?

But today, I am focus on another aspect of Open Internet: Security. As we know, end-to-end principle is the core foundation of Internet. Security Technologies and tools make the transportation progress between 2 peers (ends) encrypted and can’t be seen or changed by third-party. These Technologies include the famous Transport_Layer_Security (SSL) protocol, PGP encryption and others. In World Wide Web, SSL is the fact industry standard. ALL websites and services should force use SSL in (user) authentication, credit card info submitting and other sensitive progresses. It’s ALWAYS well to implement (support) SSL everywhere, at least as a alternative.

These days when playing with a few famous Social Websites APIs like Twitter API, Facebook API, Google BUZZ API, Picasa API and other open web APIs. I unfortunately found that Only Google implements SSL in (nearly) all their APIs in full progress, not only the API calling step via SSL, but also all resources urls such as images in returned data are in https protocol.

For example, if you request albums list of My Picasa web album via API:

https://picasaweb.google.com/data/feed/base/user/cxy152376?alt=json-in-script&access=public&callback=cb

you will get result:

cb( {
	"version": "1.0",
	"encoding": "UTF-8",
	"feed": {
		"xmlns": "http://www.w3.org/2005/Atom",
		"xmlns$gphoto": "http://schemas.google.com/photos/2007",
		"xmlns$media": "http://search.yahoo.com/mrss/",
		"xmlns$openSearch": "http://a9.com/-/spec/opensearchrss/1.0/",
		"id": {
			"$t": "https://picasaweb.google.com/data/feed/api/user/cxy152376"
		},
		//....
		"entry": [
			{
				//....
				"media$group": {
					"media$content": [ {
						"url": "https://lh6.googleusercontent.com/_UvwkVOvG9f4/TJeUCHi33pE/AAAAAAAAASM/yYxB8-nDdi0/cmIdME.jpg",
						"type": "image/jpeg",
						"medium": "image"
					} ],
					"media$credit": [ {
						"$t": "ONO OOGAMI"
					} ],
					"media$description": {
						"$t": "",
						"type": "plain"
					},
					"media$keywords": {},
					"media$thumbnail": [ {
						"url": "https://lh6.googleusercontent.com/_UvwkVOvG9f4/TJeUCHi33pE/AAAAAAAAASM/yYxB8-nDdi0/s160-c/cmIdME.jpg",
						"height": 160,
						"width": 160
					} ],
					"media$title": {
						"$t": "中岛美嘉",
						"type": "plain"
					}
				}
			},
			//....
		]
	}
});

As you see, in returned data, the thumbnail and photo’s URL are https links, it’s always safe to directly hotlink to them in a https page, no mixed contents warning.

In contrast, Twitter, Facebook and some other’s APIs only support SSL in calling progress. They don’t have their images and other resources stored in secure servers. For example it’s a Twitter profile image link which is just the one
returned in some twitter APIs like statuses/friends.

http://a0.twimg.com/profile_images/319821500/me_gravator_face_normal.jpg

It’s not a https address. If you try to access it in SSL:

https://a0.twimg.com/profile_images/319821500/me_gravator_face_normal.jpg

you will get a “Cert invalid error” in your browser

a0.twimg.com uses an invalid security certificate.

The certificate is only valid for the following names:
  a248.e.akamai.net , *.akamaihd.net  

(Error code: ssl_error_bad_cert_domain)

It’s nearly the same thing and the same (SSL cert)error when you try to access Facebook Users Profiles Pictures ( which are also only provided in http ) via https protocol. It is maybe because of Both Twitter and Facebook are using Akamai‘s CDN services to serve static files. Akamai can’t use Twitter and Facebook’s own SSL certs. So simple, and so that they are not secure.

Though they are only static resources. It is ALWAYS these leading social websites’ responsibility to provide a SSL encrypted access to their data via API. Just in favor of a Secure and end-to-end Open Internet. As we know, Only Google does Best in this way.

0 Responses to “To make a more Open Internet”


Comments are currently closed.