Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do. from Chris Palmer on 2015-01-05 (public-webappsec@w3.org from January 2015)

From: Chris Palmer <palmer@google.com>
Date: Mon, 5 Jan 2015 14:43:53 -0800
To: Jeffrey Yasskin <jyasskin@google.com>
Cc: Mark Watson <watsonm@netflix.com>, Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOuvq20=FFGKj10Z7Av41aBh=z9sVjuZt_OQ895mBP6wBGd-3g@mail.gmail.com>

On Mon, Jan 5, 2015 at 2:08 PM, Jeffrey Yasskin <jyasskin@google.com> wrote:

> That sounds plausible too. So two options on the table so far are:
>
> * Use the passive-mixed-content treatment, the locked yellow triangle on
> https://support.google.com/chrome/answer/6098869.
> * Use the http treatment: the non-lock document on
> https://support.google.com/chrome/answer/6098869, subject to future changes
> per [Marking HTTP As Non-Secure].
>
> (I suppose the third option so far is "OMG Don't do this !!1!!1" :)

Sign me up for Door #3. :)

The current passive mixed content treatment is already a concession.
Consider https://launch-the-missiles.mil, which has this HTML:

=====
<p>Please select one of the following options to decide the fate of
the world:</p>

<input type="image"
src="http://cdn.launch-the-missiles.mil/declare-war.png"
onclick="alert('boom')" />
<input type="image"
src="http://cdn.launch-the-missiles.mil/declare-peace.png"
onclick="alert('close call!')" />
=====

This app is ridiculously unsafe, in the presence of an active network
attacker. The President has no way of knowing what will really happen
when she clicks Declare Peace, because the attacker could swap the
images.

President: General Turgidson, what just happened?!?!
Gen. Turgidson: Well, Madam President, you see, our CDN was going to
charge a lot for HTTPS service...

Less nuclearly, imagine a MITM who modifies the Upside-Down-Ternet
script (http://www.ex-parrot.com/pete/upside-down-ternet.html) to
replace all corporate logos with the attacker's ads. (Anyone who has
been to DEFCON has been subject to the gross-out version of this.)

Basically, whenever you see the Caution Triangle (or whatever
indicator your browser uses to indicate Dubious), you don't know if
the passive mixed content is benign or if the entire UX has been
mangled in an exploitable way.

So, I'm not too exited about further concessions.

If we were to go with the HTTP/Non-Secure treatment, we must also
treat the origin as non-secure for purposes of powerful features.

But even then, the powerfulness of the feature might be the server's
connection to the missile launching mechanism...

Received on Monday, 5 January 2015 22:44:20 UTC