[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] FlashProxy and HTTPS

On Sat, Mar 30, 2013 at 09:23:13PM -0400, Tom Ritter wrote:
> I finally watched the recent FlashProxy talk, and the bit about "Not working on
> HTTPS" intrigued me. ÂI looked into it, and had two initial ideas.
> ======================
> Mixed Content. This isn't great, but it's something that might work for now.
> Â Â Chrome and FF do not block an HTTP iframe on an HTTPS site.Â
> Â Â Chrome26 displays a different icon, and logs to console.
> Â Â Chrome Canary (28) did the same
> Â Â FF9.0.2 allows and has no indication
> Â Â IE9 blocks
> So putting the badge on a page in an iframe could allow a webmaster to deploy
> it on a HTTPS site. ÂThat frame would be on a different domain, to get
> protections via Same Origin Policy
> Â ÂÂ
> ======================

Serving the iframe contents over HTTP actually does seem to work. I
tried it in https://trac.torproject.org/projects/tor/ticket/6291#comment:15.

> Root Cert. ÂThis one is more than a bit crazy, but I don't believe in
> discounting crazy out of hand.
> So you've got the root cert. ÂFolks who want to run FlashProxies install it in
> their browser or OS. Â(The NameConstraints give them confidence you're not
> going to, nor can you, mess with them.)

This could work, but only for a standalone flash proxies, not those
running in a browser. And for standalone proxies, mixed-content warnings
and the browser's trust store is not even an issue. Aside from the fact
that it breaks the "visit this web page to become a proxy" idea, acking
people to install new certificates in their browser is bad for their

I don't think this idea works, because anyone wanting to go through the
trouble of making it work might as well just run a standalone proxy or
even a plain old Tor bridge.

David Fifield
tor-talk mailing list