On 10/22/13 8:36 AM, Lee Passey wrote:
> > OpenLibrary is not a library. The only information it furnishes is > library metadata. No, in fact OL gives access to books either to download or to borrow. It also has the status of "library" as defined by the state of California and is considered such by the state library (which is the arbiter of all things regarding public libraries within the state). And libraries in the US do protect the privacy of catalog searches to the extent possible, as per the privacy policies of the American Library Association. Now, if as Tom suggests, using https will hinder use of the APIs, or any other uses of OL, then that must be weighed against the privacy risks. But that's a different argument. kc I'm having a hard time envisioning a scenario where > any of the traffic between a user and OpenLibrary could be sensitive > enough to draw the attention of any entity with the capability to do > wire sniffing. (Perhaps https would be appropriate for archive.org, but > that's a different issue). Why will https enhance user's privacy? > > When an SSL connection is established, the server presents a certificate > to the browser that not only contains the server's public key (for > setting up the encrypted channel) but also assertions about the server's > identity. If you trust the signing certificate authority (in this case, > GoDaddy.com) you can be assured that you have hit the site you think you > have (assuming you actually look at the public key certificate returned > by the web site). Server authentication guards against Trojan links > where rogue agents present a site that /looks/ like OpenLibrary, but > which isn't, and which may then collect sensitive information such as > user names, passwords, and contact information. Signed certificates also > minimize the likelihood of "man in the middle" attacks. > > Does OpenLibrary solicit any personally identifying information from > users? Have there been any reported instances of counterfeit web sites > designed to fool users into thinking they have reached openlibrary.org? > > There may be security issues surrounding the OpenLibrary web site, > although on the whole the information solicited and provided seems > relatively benign. Whatever issues /do/ exist are unlikely to be > addressed by using HTTP over SSL. The https protocol is widely used to > provide the appearance of security without providing the reality of > security. Best practice suggests identifying the security threats (e.g. > providing user information in database dumps) and then selecting the > technology to directly ameliorate those threats. Using https for > OpenLibrary is likely to be most harmless, but also mostly useless. > _______________________________________________ > Ol-tech mailing list > [email protected] > http://mail.archive.org/cgi-bin/mailman/listinfo/ol-tech > Archives: http://www.mail-archive.com/[email protected]/ > To unsubscribe from this mailing list, send email to > [email protected] > -- Karen Coyle [email protected] http://kcoyle.net m: 1-510-435-8234 skype: kcoylenet _______________________________________________ Ol-tech mailing list [email protected] http://mail.archive.org/cgi-bin/mailman/listinfo/ol-tech Archives: http://www.mail-archive.com/[email protected]/ To unsubscribe from this mailing list, send email to [email protected]
