W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2013

Re: [whatwg] Mixed content WebSockets: use subprotocols!

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 3 Dec 2013 21:35:26 +0000 (UTC)
To: Nicholas Wilson <nicholas@nicholaswilson.me.uk>
Message-ID: <alpine.DEB.2.00.1312032117510.27766@ps20323.dreamhostps.com>
Cc: whatwg@lists.whatwg.org
On Fri, 4 Oct 2013, Nicholas Wilson wrote:
> 
> Currently, Firefox blocks "ws://" connections from HTTPS pages, while 
> Chrome doesn't.

Then Chrome has a bug. Firefox is following the spec.


> Ultimately, this needs to be resolved somehow.

The idea here is simply that if you're on a secure page, you shouldn't 
need to worry about whether some random component is leaking information 
out in the clear.


> There are legitimate uses of mixed-content WebSocket connections - for 
> example, a simple VNC or SSH client in the browser.

Why in such a situation would you want to make a connection to a 
plain-text WebSocket server from an HTTPS page?

(Generally, plain-text WebSockets are only for toy applications. I 
would hope that all deployed production WebSocket servers would use only 
encrypted WebSockets.)


> It is very hard for a peer-to-peer application to put certificates on 
> each node for TLS ("wss://"), but WebCrypto makes it easy to proper 
> crypto in javascript over a raw WebSocket connection.

I don't understand what you mean here.


> Mixed-content blocking is good, and we're suggesting relaxing it. Some 
> specific peer-to-peer webapps though have a genuine need for ws:// from 
> HTTPS pages.

Can you elaborate?


> I've implemented a few different suggestions with Firefox patches, and 
> concluded the only thing that's likely to get traction is a very 
> specific change to the WebSockets interface to let through known-good 
> subprotocols, treating them as 'secure' rather than 'mixed'.

I would be very dubious about any hand-rolled crypto being "secure".


> Either browsers can ship with a whitelist, or extend the subprotocol 
> argument in the Websocket ctor to specify that the protocol is secure.

Why wouldn't people lie just to get around making things secure?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 3 December 2013 21:35:53 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:14 UTC