It's complicated. Mixed content has always broken the security model
espoused by SSL. It wasn't actually mixed content that originally broke
it, rather it was the speed/cpu requirements that slowed down the
browsing, so sites deployed the SSL only for their secure credit card
collection. (I'm talking mid 1990s here.) Which created the
unfortunate habit of mixing.
Mixed content came later, but achieved the same effect. If the site is
split across secure and insecure, in whatever way, the attacker attacks
the insecure and then bootstraps into the secure. The ways are many and
varied. This is not a new thing, military folk have been teaching the
attack for millenia.
The only 'solution' is really to put everything into the secure side.
Then, you run into the problem of how easy it is to migrate to full SSL.
Because there is no "neutral" mode in SSL because of commercial
decisions enforced by browsers, it is impossible to mix, so your
scenario (3) kicks in. So the secure browsing world is locked in this
semi-secure, mostly broken mode. Either everyone upgrades to HTTPS, or
it won't work.
The solution is fairly easy, just create a neutral mode. But to date,
browsers have declined to do that, even taking things to the ridiculous
situation where an unfamiliar or defective SSL cert is considered to be
more dangerous than open HTTP. Logically asinine, and a running joke in
security circles but commercially it tickles the marketing folks at CAs
who believe that only their certs can defend the traffic. So basically
one can see the move to HTTPS-always as a browser subsidy to CAs.
You've got a choice really, harm the users in order to get some
semblance of movement to a complete security exposure, or, let them be
harmed the way they are now being harmed. It's 2013, phishing and other
attacks are now entering their teens... Time to break some eggs?
iang
On 12/08/13 10:59 AM, mikko.rantalai...@gmail.com wrote:
I had totally missed that Firefox 23 turned on Mixed Content blocking. What is
the rationale for that?
I'm aware that MSIE blocked mixed content but I always considered that a bug.
In short, I see mixed content blocking pros and cons as follows:
Pros:
(1) Avoid MitM attack for HTTPS sites that include e.g. script from HTTP
connection.
Cons:
(2) Breaks existing sites that used to work in Firefox 22 and Chrome. (Granted,
most of such sites were already broken in MSIE.)
(3) Prevents existing site from easily upgrading from HTTP to HTTPS connection,
especially if site contains user authored content (embedded iframes)
To me, (1) is pretty meaningless because site authors that include HTTP scripts on HTTPS
site will probably also run code vulnerable XSS and CSRF attacks. Activating Mixed
Content blocking and displaying a lock icon will give false sense of security. I would
much rather have a big ugly door hanger saying "beware of the leopard" which
still allows the user to see all the content but hints that the content may not be
totally safe.
I somewhat agree with (2) because it's easier for everybody if all content
behaves similarly in all user agents.
However, the (3) is the deal breaker for me; I hope the target is to move most
of the web on secure connections and anything that gives extra pain to the
content authors should be avoided if at all possible.
Is the (1) really such a big problem (compared to XSS and CSRF vulnerabilities)
that this change is really worth the troubles (3)??
I would guess that this change will move more people from Firefox to Chrome
because sites seem to work with that...
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
