[tor-bugs] #9852 [Flashproxy]: [Flash-proxies] - WS with HTTPS

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 30 22:11:51 UTC 2013 

#9852: [Flash-proxies] - WS with HTTPS
----------------------------+-----------------
     Reporter:  Aymeric     |      Owner:  dcf
         Type:  defect      |     Status:  new
     Priority:  normal      |  Milestone:
    Component:  Flashproxy  |    Version:
   Resolution:              |   Keywords:
Actual Points:              |  Parent ID:
       Points:              |
----------------------------+-----------------

Comment (by dcf):

 Replying to [comment:2 Aymeric]:
 > So, you are promoting HTTPS Everywhere but it's not an issue for you not
 to be able to use the flash proxy tag on https sites? And the Stanford
 flash proxy presentation site is using https...

 As I say, it's a consideration, but not really a problem. It is a shame
 that the proxy doesn't work on HTTPS sites, but we are not aware of any
 good workaround, and there are enough plain HTTP sites hosting it that it
 doesn't matter very much. The biggest cost is having to explain to
 conscientious site owners who run their sites over HTTPS why their badge
 won't work :(

 Censored users using the Tor Browser bundle with HTTPS Everywhere are not
 affected, because censored users don't need to see or run the proxy badge.
 Other, uncensored users (who mostly don't run HTTPS Everywhere) are the
 ones who are running the proxy code.

 The demo site also runs over plain HTTP. We don't do anything to try to
 force HTTPS users onto plain HTTP, because we have enough proxy capacity.
 As you see, it is kind of a complicated issue to explain anyway.

 > I brought the issue to different lists, always getting the same answer
 (security issue to downgrade from https to http but no problem to use
 https with http...), lists that do not perceive (or don't want) the fact
 that using ws with something more secure on top of it rather than wss can
 be better.
 >
 > Maybe you and other organizations should weigh more in the specification
 process.

 I think that the browsers are doing the right thing here. It's a sensible
 security decision to disallow non-SSL WebSockets from an SSL page. We just
 have to work within that restriction. It is at most a slight annoyance,
 not really a problem.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9852#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list