TOTD: Blocking insecure "mixed-content" on Firefox
To give a little background, when one connects to an HTTPS site, the data channel is encrypted
and authenticated. However, if the HTTPS site also serves HTTP content (so-called mixed content), the unencrypted portion can be sniffed and hijacked by an attacker. If that insecure content is active (i.e. has access to some or all of the document object model), the attacker can potentially change the behavior of the HTTPS page and steal information. Firefox has joined other browsers and now permits the blocking of mixed-content. However, this feature is off by default until Firefox 23. Until then, one must turn the blocking on manually. To turn it on, surf to about:config and make the following change by double-clicking on security.mixed_content.block_active_content: Code:
security.fileuri.strict_origin_policy default boolean true --mancha TOTD=Tip of the Day |
It's a good step forward but it needs work. I use RequestPolicy at the finest granularity (allowing/denying each domain and protocol separately) and noscript with the same fine granularity. With the new mixed content blocking enabled for both active and passive content, I found a site (Apple's iTunes store) that loads third-party unencrypted content (images) -- but after allowing this content in RequestPolicy, the new mixed content blocker did not show the shield icon necessary to allow the content, but it still blocked it anyway. Basically, it left me with no way to view the content. This was with passive content which is not recommended to block anyway, but it makes me nervous about using it at all. It did work on a vanilla Firefox profile without RequestPolicy/noscript. On microsoft's mixed content test page, I allowed the unencrypted content in RequestPolicy but kept javascript disabled through noscript (so it was only loading the unencrypted images). The passive content filter did not work at all (it did not pop up the shield or block the content). The shield only popped up when I enabled javascript on the https page. On other sites I tested it worked as it should. For now I'll stick to RequestPolicy+noscript which lets me block mixed content anyway (though on a much more specific basis, which would drive most people crazy).
Right now it looks like it's all-or-nothing. You can enable this and have many pages break but have the fix a click away, at the cost of losing any protection using RequestPolicy/noscript; or you can keep this disabled and maintain better control/protection using RequestPolicy/noscript but at the cost of usability. It would be nice if you could have the best of both worlds (keeping RequestPolicy/noscript on a domain basis rather than a protocol basis, but blocking mixed content) but that isn't possible right now as far as I can tell. |
Couldn't you just use Noscripts ABE to write a custom script to block active content from http when in https
|
All times are GMT -5. The time now is 02:52 AM. |