[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #8774 [EFF-HTTPS Everywhere]: Disable mixed content rulesets on FF 23+



#8774: Disable mixed content rulesets on FF 23+
----------------------------------+-----------------------------------------
 Reporter:  pde                   |          Owner:  pde            
     Type:  defect                |         Status:  new            
 Priority:  critical              |      Milestone:  HTTPS-E 4.0dev8
Component:  EFF-HTTPS Everywhere  |        Version:                 
 Keywords:                        |         Parent:  #6975          
   Points:                        |   Actualpoints:                 
----------------------------------+-----------------------------------------
Changes (by pde):

  * milestone:  HTTPS-E 4.0dev7 => HTTPS-E 4.0dev8


Comment:

 tanvi and I have been chatting about this in #security on irc.mozilla.org.
 For everyone who isn't there:

 <tanvi> pde: ping
 <tanvi> pde: thanks for cc'ing me on your mixed content bug.  you
 mentioned that you might try disabling mixed content blocker.  i don't
 think your addon can change the pref without causing a warning/alert when
 submitting to AMO for review
 <tanvi> that is a privileged pref that addons can't change
 <pde> tanvi: what we'd want would be a way to disable it in specific
 contexts
 <pde> we wouldn't want blanket disablement, since I think that would
 decrease user security overall
 <pde> and I guess I'm not committed to trying to do things that way, it's
 just one of the options
 <tanvi> hmm; not sure if that coudl be accomplished
 <tanvi> i suppose you coudl include javascript in the addon that looks for
 the shield after https everywhere rewrites a url and selects "Disable
 Protection on this page"
 <pde> exactly the sort of hackery I'm afraid of
 <tanvi> we have a mochitest that you could use to find broken sites
 <pde> alternatively we could write the same javascript (or use mochitest)
 and try to disable our rewrites for those sites
 <tanvi> not sure if it will work with the addon; but if you take alexa top
 X sites and run them through your rewrite rules
 <tanvi> you can then take the https urls that you get and put them through
 the mochitest
 <pde> we can also do it with opt-in user pingbacks
 <tanvi> the results of the mochitest will tell you whether or not Mixed
 Active Content was detected on the page
 <pde> oh I see
 <tanvi> once you know which of yoru rewrite rules result in pages with
 Mixed Active Content, you can disable those rewrite rules
 <pde> the hard part of that is that sometimes Mixed Active Content will
 happen in really obscure parts of sites, only for logged in users, etc
 <tanvi> pde - yeah, that is true
 <pde> so I think our best chance will be to opt-in instrument our users in
 the wild and see where it's happening
 <tanvi> we tested the top 1000 alexa sites for mixed content, and found 77
 with mixed active content. but we only tested the homepage and we didnt
 log in
 <pde> we have already found quite a few via manual reporting from our
 chrome userbase
 <pde> but I think we currently just offer our chrome users a much worse
 experience than our firefox users
 <tanvi> even before Firefox 23, you can listen for certain
 nsWebProgressListener flags.  specifically
 STATE_LOADED_MIXED_ACTIVE_CONTENT http://mxr.mozilla.org/mozilla-
 central/source/uriloader/base/nsIWebProgressListener.idl#185
 <tanvi> that will tell you if the mixed content blocker will be invoked
 for a website.
 <tanvi> prior to FF23
 <tanvi> in FF23 (when it is blocked by default) you woudl look for
 STATE_BLOCKED_MIXED_ACTIVE_CONTENT
 <pde> oh that's super helpful

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8774#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs