[HTTPS-Everywhere] HTTPS Everywhere & insecure JS in Chrome
Peter Eckersley
pde at eff.org
Thu Jul 26 13:36:02 PDT 2012
On Thu, Jul 26, 2012 at 03:40:23PM -0400, Aaron Swartz wrote:
> > Option 2 is better than 1 because mixed content is generally better than pure HTTP
> > content (partial HTTPS still hides a lot from passive eavesdroppers, even if
> > active JS injection attacks remain possible). But 2 will require help from
> > the Chrome team (Adam, what do you think of this?).
>
> But in this case what is the partial HTTPS hiding? The stuff getting
> encrypted is generally stuff like jquery, standard css, and font
> libraries. The stuff that's getting left unencrypted is the content of
> your request and the resulting page you get -- _including its
> references to those outside files!_
Other way around. The case I'm talking about above is something like
https://www.nytimes.com/path/to/article being encrypted, but allowing the CSS
and JS it embeds to be fetched over HTTP without user intervention.
>
> The only thing I can see is that if there's a passive eavesdropper
> next to the server hosting the jquery library but not the main page,
> they might be able to see the Referer: header and thus know what page
> you're visiting (which they wouldn't if it was encrypted). But that
> doesn't seem like a huge hole and, if you're worried about it, can't
> you just drop the referer header from the HTTP requests?
--
Peter Eckersley pde at eff.org
Technology Projects Director Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list