W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2013

Re: [whatwg] Mixed content WebSockets: use subprotocols!

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 04 Oct 2013 19:55:17 +0200
To: Nicholas Wilson <nicholas@nicholaswilson.me.uk>
Message-ID: <jcvt49pq0uctqgb9jedj4ai2r45buf9tc5@hive.bjoern.hoehrmann.de>
Cc: whatwg@lists.whatwg.org
* Nicholas Wilson wrote:
>Currently, Firefox blocks "ws://" connections from HTTPS pages, while
>Chrome doesn't. Ultimately, this needs to be resolved somehow. There
>are legitimate uses of mixed-content WebSocket connections - for
>example, a simple VNC or SSH client in the browser. It is very hard
>for a peer-to-peer application to put certificates on each node for
>TLS ("wss://"), but WebCrypto makes it easy to proper crypto in
>javascript over a raw WebSocket connection.
>Mixed-content blocking is good, and we're suggesting relaxing it. Some
>specific peer-to-peer webapps though have a genuine need for ws://
>from HTTPS pages.

Such as? If it's so easy to do "proper crypto" in client-side scripts,
why does the browser have to secure the HTTP transport? If it doesn't,
you can use 'http' and access 'ws' over it.

Browsers would have to indicate to the user in either case that the
"page" as a whole is insecure. The authors of the "proper crypto" so-
lution might think they've done a good job securing the 'ws' channel,
but the odds are against them and the browser cannot verify anything.

(It would be interesting to know how the peer-to-peer application can
verify that the peer on the other hand is who they claim to be; we can
then replace the CA infrastructure by this new method...)
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 4 October 2013 17:55:59 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:11 UTC