It's worse than that for webservers.<p>I block all Amazon AWS/EC2 on my servers because it's never humans and I've yet to see a useful bot from there - they just suck bandwidth and cpu time. Since they have free, unlimited inbound, there's a bunch of nonsense going on.<p>Now I suspect silk is going to use the same IP range as amazon aws, so if you block aws, you block silk?<p>So no more using iptables to stop the traffic - maybe I can do it on another layer, allowing the ip via user-agent but of course bots will start spoofing that too.<p>Anyone know if silk will cache and serve content that is not fresh while ignoring no-cache headers?<p>Bonus points if anyone as access to a Fire and can test the ip range and header obedience (as well as pre-fetching aggressiveness).
When intercepting a regular HTTP session Silk is no more of a MITM attack than any ISP out there. I trust Amazon more than I trust AT&T or Verizon.<p>What disturbs me is that <i>Amazon Silk will terminate SSL on their end by default.</i>* This is the break from the past that's worrisome.<p>* Source: <a href="http://www.amazon.com/gp/help/customer/display.html/ref=hp_left_cn?ie=UTF8&nodeId=200775440" rel="nofollow">http://www.amazon.com/gp/help/customer/display.html/ref=hp_l...</a>
According to Ars Technica's article on Silk, it is possible to turn off the split browsing mode and use Silk as a regular web browser, so people who have privacy issues with this can turn it off.
Just playing devil's advocate here: They mention "aggregate user behavior", so they could be building a large, aggregated Markov chain that stores no user data whatsoever -- just site transition data for the world.<p>I haven't read in-depth analysis of how they do their stuff, though.
I work for a bank. If Silk does indeed terminate SSL, we will block this browser from accessing online banking. We block OperaMini browsers, which also terminate SSL, for exactly the same reason - your sign-on credentials will be IN THE CLEAR on a 3rd party site.<p>As the bank is the one offering the security guarantee and talking the risk, we cannot afford to have credentials in the clear on some else's site -- ever.
There are alternative browsers available:<p><a href="http://www.amazon.com/gp/search/ref=sr_kk_1?rh=i%3Amobile-apps%2Ck%3Abrowser&keywords=browser&ie=UTF8&qid=1317321315" rel="nofollow">http://www.amazon.com/gp/search/ref=sr_kk_1?rh=i%3Amobile-ap...</a><p>That doesn't fix the problem for unaware users, but at least the option to use other browsers still exists.