On Sat, Mar 30, 2013 at 09:23:13PM -0400, Tom Ritter wrote: > I finally watched the recent FlashProxy talk, and the bit about "Not working > on > HTTPS" intrigued me. I looked into it, and had two initial ideas. > > ====================== > Mixed Content. This isn't great, but it's something that might work for now. > > Chrome and FF do not block an HTTP iframe on an HTTPS site. > Chrome26 displays a different icon, and logs to console. > Chrome Canary (28) did the same > FF9.0.2 allows and has no indication > IE9 blocks > > So putting the badge on a page in an iframe could allow a webmaster to deploy > it on a HTTPS site. That frame would be on a different domain, to get > protections via Same Origin Policy > > ======================
Serving the iframe contents over HTTP actually does seem to work. I tried it in https://trac.torproject.org/projects/tor/ticket/6291#comment:15. > Root Cert. This one is more than a bit crazy, but I don't believe in > discounting crazy out of hand. > > So you've got the root cert. Folks who want to run FlashProxies install it in > their browser or OS. (The NameConstraints give them confidence you're not > going to, nor can you, mess with them.) This could work, but only for a standalone flash proxies, not those running in a browser. And for standalone proxies, mixed-content warnings and the browser's trust store is not even an issue. Aside from the fact that it breaks the "visit this web page to become a proxy" idea, acking people to install new certificates in their browser is bad for their security. I don't think this idea works, because anyone wanting to go through the trouble of making it work might as well just run a standalone proxy or even a plain old Tor bridge. David Fifield _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk