ES Native Mode proposal

Mark S. Miller erights at google.com
Thu Sep 26 08:24:30 PDT 2013


On Thu, Sep 26, 2013 at 3:16 AM, Aymeric Vitte <vitteaymeric at gmail.com>wrote:

>
> Le 26/09/2013 11:43, David Bruant a écrit :
>
>  Le jeu. 26 sept. 2013 11:11:40 CEST, Aymeric Vitte a écrit :
>>
>>> For those interested I provided in the CSP thread a link to a FF bug
>>> report where it's explained how some security policy (here Websocket
>>> spec) forces me to do insecure things. I don't know what list can take
>>> care of it, there is a discussion in [1] too, for now I did not see
>>> really solid arguments showing that I could be wrong.
>>>
>> I answered on the webappsec thread. Firefox blocks mixed content for good
>> reasons. When receiving an HTTPS page, the browser shows lots of signs of
>> the page being secure. If the page starts loading code/style/content with
>> HTTP, these are subject to man in the middle attacks and suddenly, the
>> browser gives a false sense of security to the user.
>>
>
> Mixed content is not blocked today. Again, it's difficult to say which one
> is more insecure between http with https or https with http, the first one
> is subject to a mitm attack since the begining.
>
>
>  Firefox isn't forcing you to do insecure things. Firefox is forcing you
>> to make a choice: go all the way secure (so that it can shows strong signal
>> to the user) or use HTTP.
>>
>
> I am not saying FF is the problem, FF follows the Websocket spec, which
> does not allow ws with https. I am explaining why I can not use wss
> (routers can not have trusted certificates), so I am forced to fallback to
> http. It's easy to deny the issue but that's a real life use case.
>
>
>
>>  Maybe a solution could be combination of CSP and SES, I think SES
>>> should come now, as far as I remember it is planned for ES8, seems too
>>> late.
>>>
>> SES exists now... sort of... with Caja. You don't need to wait, it's
>> already available. Module loaders are also a major step forward.
>>
>
> Not very intuitive to use as far as I remember.


Please try again and let us know what problems or confusions you run into,
so we can make it more intuitive.

Any SES support coming in std ES will be based on experience and lesson
from existing SES, so getting this feedback early would be most helpful.
Thanks.



>
>
>
>>  Solving the code loading issue is indeed the key point, but is it
>>> feasible?
>>>
>> Can you describe ways in which it isn't?
>>
>
> Do you know a way (even theoretical) to safely load code with web
> mechanisms that can defeat a mitm? This would necessarly imply another
> check mechanism on top of SSL/TLS
>
>
>
>> David
>>
>
> --
> Peersm : http://www.peersm.com
> node-Tor : https://www.github.com/Ayms/**node-Tor<https://www.github.com/Ayms/node-Tor>
> GitHub : https://www.github.com/Ayms
>
> ______________________________**_________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/**listinfo/es-discuss<https://mail.mozilla.org/listinfo/es-discuss>
>



-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130926/b6b849a8/attachment-0001.html>


More information about the es-discuss mailing list