[tor-talk] FlashProxy and HTTPS

[David Fifield]

On Sat, Mar 30, 2013 at 09:23:13PM -0400, Tom Ritter wrote:
> I finally watched the recent FlashProxy talk, and the bit about "Not working on
> HTTPS" intrigued me.  I looked into it, and had two initial ideas.
> 
> ======================
> Mixed Content. This isn't great, but it's something that might work for now.
> 
>     Chrome and FF do not block an HTTP iframe on an HTTPS site. 
>     Chrome26 displays a different icon, and logs to console.
>     Chrome Canary (28) did the same
>     FF9.0.2 allows and has no indication
>     IE9 blocks
> 
> So putting the badge on a page in an iframe could allow a webmaster to deploy
> it on a HTTPS site.  That frame would be on a different domain, to get
> protections via Same Origin Policy
>     
> ======================

Serving the iframe contents over HTTP actually does seem to work. I
tried it in https://trac.torproject.org/projects/tor/ticket/6291#comment:15.

> Root Cert.  This one is more than a bit crazy, but I don't believe in
> discounting crazy out of hand.
> 
> So you've got the root cert.  Folks who want to run FlashProxies install it in
> their browser or OS.  (The NameConstraints give them confidence you're not
> going to, nor can you, mess with them.)

This could work, but only for a standalone flash proxies, not those
running in a browser. And for standalone proxies, mixed-content warnings
and the browser's trust store is not even an issue. Aside from the fact
that it breaks the "visit this web page to become a proxy" idea, acking
people to install new certificates in their browser is bad for their
security.

I don't think this idea works, because anyone wanting to go through the
trouble of making it work might as well just run a standalone proxy or
even a plain old Tor bridge.

David Fifield