LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 06-12-2013, 10:46 AM   #1
mancha
Member
 
Registered: Aug 2012
Posts: 241

Rep: Reputation: Disabled
TOTD: Blocking insecure "mixed-content" on Firefox


To give a little background, when one connects to an HTTPS site, the data channel is encrypted
and authenticated. However, if the HTTPS site also serves HTTP content (so-called mixed
content), the unencrypted portion can be sniffed and hijacked by an attacker.

If that insecure content is active (i.e. has access to some or all of the document object model),
the attacker can potentially change the behavior of the HTTPS page and steal information.

Firefox has joined other browsers and now permits the blocking of mixed-content. However, this
feature is off by default until Firefox 23. Until then, one must turn the blocking on manually.

To turn it on, surf to about:config and make the following change by double-clicking on
security.mixed_content.block_active_content:

Code:
security.fileuri.strict_origin_policy            default     boolean   true
security.mixed_content.block_active_content      user set    boolean   true
security.mixed_content.block_display_content     default     boolean   false
If interested, you can read a more detailed explanation here.

--mancha

TOTD=Tip of the Day
 
Old 06-12-2013, 02:00 PM   #2
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.0
Posts: 2,231

Rep: Reputation: 573Reputation: 573Reputation: 573Reputation: 573Reputation: 573Reputation: 573
It's a good step forward but it needs work. I use RequestPolicy at the finest granularity (allowing/denying each domain and protocol separately) and noscript with the same fine granularity. With the new mixed content blocking enabled for both active and passive content, I found a site (Apple's iTunes store) that loads third-party unencrypted content (images) -- but after allowing this content in RequestPolicy, the new mixed content blocker did not show the shield icon necessary to allow the content, but it still blocked it anyway. Basically, it left me with no way to view the content. This was with passive content which is not recommended to block anyway, but it makes me nervous about using it at all. It did work on a vanilla Firefox profile without RequestPolicy/noscript. On microsoft's mixed content test page, I allowed the unencrypted content in RequestPolicy but kept javascript disabled through noscript (so it was only loading the unencrypted images). The passive content filter did not work at all (it did not pop up the shield or block the content). The shield only popped up when I enabled javascript on the https page. On other sites I tested it worked as it should. For now I'll stick to RequestPolicy+noscript which lets me block mixed content anyway (though on a much more specific basis, which would drive most people crazy).

Right now it looks like it's all-or-nothing. You can enable this and have many pages break but have the fix a click away, at the cost of losing any protection using RequestPolicy/noscript; or you can keep this disabled and maintain better control/protection using RequestPolicy/noscript but at the cost of usability. It would be nice if you could have the best of both worlds (keeping RequestPolicy/noscript on a domain basis rather than a protocol basis, but blocking mixed content) but that isn't possible right now as far as I can tell.
 
Old 06-13-2013, 10:27 AM   #3
pataphysician
Member
 
Registered: Oct 2012
Posts: 34

Rep: Reputation: Disabled
Couldn't you just use Noscripts ABE to write a custom script to block active content from http when in https
 
  


Reply

Tags
firefox, https


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Modifying Firefox through CSS: Can toolbars be placed "above" website content? Vinter Programming 5 02-18-2013 08:51 AM
[SOLVED] error "mixed implicit and normal rules" while trying to build busybox Keith Hedger Linux - Software 3 12-21-2011 05:16 AM
squirrelmail "error in login page"" when content advisor is enabled simi_virgo Linux - Networking 4 08-21-2008 01:25 PM
Can't exec "firefox 1.5", "prompts glibc detected" SPo2 Linux - General 1 06-04-2006 11:02 PM
Compiling "deskama": problem with mixed c/c++ RedDwarf Linux - Software 3 05-28-2005 07:53 AM


All times are GMT -5. The time now is 11:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration