[HTTPS-Everywhere] HTTPS Everywhere & insecure JS in Chrome
Seth David Schoen
schoen at eff.org
Thu Jul 26 13:44:23 PDT 2012
Aaron Swartz writes:
> > Option 2 is better than 1 because mixed content is generally better than pure HTTP
> > content (partial HTTPS still hides a lot from passive eavesdroppers, even if
> > active JS injection attacks remain possible). But 2 will require help from
> > the Chrome team (Adam, what do you think of this?).
>
> But in this case what is the partial HTTPS hiding? The stuff getting
> encrypted is generally stuff like jquery, standard css, and font
> libraries. The stuff that's getting left unencrypted is the content of
> your request and the resulting page you get -- _including its
> references to those outside files!_
I think a counterexample might be the New York Times homepage, where the
content of the article gets encrypted while the CSS doesn't. (Adam's
recent presentation has a screenshot of the results in Chromium, which
have the article content without proper formatting.) But I ought to
double-check that with Wireshark because I'm not positive that an
eavesdropper can't easily deduce what page it is.
--
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-everywhere
mailing list