Le 26/09/2013 11:43, David Bruant a écrit :
Le jeu. 26 sept. 2013 11:11:40 CEST, Aymeric Vitte a écrit :
For those interested I provided in the CSP thread a link to a FF bug
report where it's explained how some security policy (here Websocket
spec) forces me to do insecure things. I don't know what list can take
care of it, there is a discussion in [1] too, for now I did not see
really solid arguments showing that I could be wrong.
I answered on the webappsec thread. Firefox blocks mixed content for
good reasons. When receiving an HTTPS page, the browser shows lots of
signs of the page being secure. If the page starts loading
code/style/content with HTTP, these are subject to man in the middle
attacks and suddenly, the browser gives a false sense of security to
the user.
Mixed content is not blocked today. Again, it's difficult to say which
one is more insecure between http with https or https with http, the
first one is subject to a mitm attack since the begining.
Firefox isn't forcing you to do insecure things. Firefox is forcing
you to make a choice: go all the way secure (so that it can shows
strong signal to the user) or use HTTP.
I am not saying FF is the problem, FF follows the Websocket spec, which
does not allow ws with https. I am explaining why I can not use wss
(routers can not have trusted certificates), so I am forced to fallback
to http. It's easy to deny the issue but that's a real life use case.
Maybe a solution could be combination of CSP and SES, I think SES
should come now, as far as I remember it is planned for ES8, seems too
late.
SES exists now... sort of... with Caja. You don't need to wait, it's
already available. Module loaders are also a major step forward.
Not very intuitive to use as far as I remember.
Solving the code loading issue is indeed the key point, but is it
feasible?
Can you describe ways in which it isn't?
Do you know a way (even theoretical) to safely load code with web
mechanisms that can defeat a mitm? This would necessarly imply another
check mechanism on top of SSL/TLS
David
--
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
