[x3d-public] Encrypted Content links using https

Don Brutzman brutzman at nps.edu
Sat Jul 16 12:57:22 PDT 2016 

Additional references and X3D v4 plans follow.

The X3D Networking Component includes https and username/password support in Level 4.
http://www.web3d.org/documents/specifications/19775-1/V3.3/Part01/components/networking.html#SupportLevels

X3D Immersive Profile (close approximation to VRML97) only requires Networking Level 3.
http://www.web3d.org/documents/specifications/19775-1/V3.3/Part01/immersive.html#t-ComponentsAndLevels

X3D Resources includes a list of X3D Security considerations:
http://www.web3d.org/x3d/content/examples/X3dResources.html#Security

... which states, based on X3D Working Group teleconferences, that
"Web3D Consortium members expect that required support for secure url addresses using https and ssl/tls protocols is likely to be included in X3D version 4.0."

Our X3D v4 Candidate Capabilities wiki page has a bit more, with https requirements now inserted as first bullet:

X3D Version 4.0 Development - Candidate capabilities
http://www.web3d.org/wiki/index.php/X3D_version_4.0_Development#Candidate_capabilities

* Security and privacy:
** Include X3D Networking Component Level 4 support for https in Immersive, Interactive and other commonly used profiles
** Review X3D specifications to ensure that Security Considerations are fully documented throughout in every component
** XML Security provides best-available encryption, digital signature (authentication)
** Web Privacy: examine X3D compatibility with Do Not Track, P3P, POWDER

Wondering if anyone has tested various players (especially X3DOM and Cobweb) to see if they support https ?

On 7/15/2016 12:34 PM, John Carlson wrote:
> Okay, Leonard.  I can support HTTPS in the X3D JSON Loader for loading JSON files, but someone should test it.  I will once I get my HTTPS server running again (it’s in a down virtual box and we’re migrating to a physical server, https://x3d.carlsonsolutiondesign.com.
>
> I assume file:// can go over SFTP if necessary (if there’s no https server).

No, the file:// protocol is for local access only.

	RFC 3986, Uniform Resource Identifier (URI): Generic Syntax
	https://tools.ietf.org/html/rfc3986

end of section 1.1:

    [...] URIs that
    identify in relation to the end-user's local context should only be
    used when the context itself is a defining aspect of the resource,
    such as when an on-line help manual refers to a file on the end-
    user's file system (e.g., "file:///etc/hosts").

middle of section 3.2.2 Host:

    [...] If the URI scheme defines a default for host, then that default
    applies when the host subcomponent is undefined or when the
    registered name is empty (zero length).  For example, the "file" URI
    scheme is defined so that no authority, an empty host, and
    "localhost" all mean the end-user's machine, whereas the "http"
    scheme considers a missing authority or empty host invalid.


>I think node.js is ready to support HTTPS, given a certificate and a key.  Likely it will be a painful transition, but very good for privacy.

Upgrading to make https available is a long-standing goal for the Web3D.org website.

	http://www.web3d.org/support/website-improvements

	Add support for accessing pages via HTTPS (Mantis #946)

	http://www.web3d.org/member-only/mantis/view.php?id=946

Interesting reference, posted to list some time ago:

	"Encryption Is More Important, and Easier, Than Ever"
	by Vindu Goel, 14 October 2015, NY Times
	http://bits.blogs.nytimes.com/2015/10/14/encryption-is-more-important-and-easier-than-ever
	This article discusses the means for getting a certificate and specifically discusses https://LetsEncrypt.org

>  Hopefully, the hardware will be up to the challenge.

We've had no noticeable effect on performance for our internal NPS hosts or a wide variety of external hosts.

> John
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
>
> *From: *Leonard Daly <mailto:Leonard.Daly at realism.com>
> *Sent: *Friday, July 15, 2016 2:13 PM
> *To: *Web3D Consortium <mailto:consortium at web3d.org>; X3D Graphics public mailing list <mailto:x3d-public at web3d.org>
> *Subject: *[x3d-public] Encrypted Content
>
> There is a very heated discussion going on in the web-vr list concerning the WebVR specification. The browsers companies (at least Google and Mozilla) are considering making this capability require that the content arrived over HTTPS. This seems (to me) to be part of a much larger push to require all content be encrypted.
>
> My point is not to get in a discussion here about the merits of this idea, but to provide preliminary notice that all Web3D content is going to need to support HTTPS at the same Profile, Component/Level as HTTP protocol is supported. It may even be the case that FILE:// <FILE:///> won't work or will require a configuration setting change in the browser.
>
> --
> *Leonard Daly*
> 3D Systems & Cloud Consultant
> X3D Co-Chair on Sabbatical
> LA ACM SIGGRAPH Chair
> President, Daly Realism - /Creating the Future/
> _______________________________________________
> x3d-public mailing list
> x3d-public at web3d.org
> http://web3d.org/mailman/listinfo/x3d-public_web3d.org

all the best, Don
-- 
Don Brutzman  Naval Postgraduate School, Code USW/Br       brutzman at nps.edu
Watkins 270,  MOVES Institute, Monterey CA 93943-5000 USA   +1.831.656.2149
X3D graphics, virtual worlds, navy robotics http://faculty.nps.edu/brutzman

More information about the x3d-public mailing list