[HTTPS-Everywhere] HTTPS Everywhere & insecure JS in Chrome
Aaron Swartz
me at aaronsw.com
Thu Jul 26 12:40:23 PDT 2012
> Option 2 is better than 1 because mixed content is generally better than pure HTTP
> content (partial HTTPS still hides a lot from passive eavesdroppers, even if
> active JS injection attacks remain possible). But 2 will require help from
> the Chrome team (Adam, what do you think of this?).
But in this case what is the partial HTTPS hiding? The stuff getting
encrypted is generally stuff like jquery, standard css, and font
libraries. The stuff that's getting left unencrypted is the content of
your request and the resulting page you get -- _including its
references to those outside files!_
The only thing I can see is that if there's a passive eavesdropper
next to the server hosting the jquery library but not the main page,
they might be able to see the Referer: header and thus know what page
you're visiting (which they wouldn't if it was encrypted). But that
doesn't seem like a huge hole and, if you're worried about it, can't
you just drop the referer header from the HTTP requests?
More information about the HTTPS-everywhere
mailing list