Mixed active content


#21

[quote=“My1, post:17, topic:8523”]
well I thought there are downgrade protections everywhere and I see no reason to downgrade, I mean if you go through the trouble of getting a cert in the first place then use it.
[/quote]Transparent HTTPS —> HTTP redirect without any warnings indicates TLS server running on 443 port with publicly-trusted certificate and cipher suite overlap with common clients. Once a client sends application data (GET / HTTP/1.1), a server replies with 3xx redirect to HTTP location.

It’s very common. Visiting such sites is my daily routine.
When I need to share a site HTTP by default but supporting HTTPS with publicly-trusted cert, I share HTTPS link. If a site goes full HTTPS, links shared by me have already been HTTPS, good to be smart like that.

Yes, such redirects can result in frustration and despair. For example, instead of site you see 451 from your ISP or even IP-transit operator, so you try HTTPS. When you see 451 again without any trust warnings, it’s super-creepy. I have seen such happening with NSFW site about hamsters, shame on them.


#22

also the question is WHY even get HTTPS in the first place if you are going to downgrade? That’s plain stupid.

I mean you get a cert for more than enough money, setting up an HTTPS Server, closing vulnerabilities like POODLE if the get public etc and then you arent even going to use it.

that’s a whole new level of stupidity.


#23

That’s just Amazon being Amazon.

They currently refuse to serve those images with a valid HTTPS certificate, so there is nothing that Discourse can do about it.


#24

buut they can just NOT show the image.

and for the thing in the misused certs thread, how about not iframing whole sites.

I mean I cant find it anymore but one of LE said that this is the official means of support for LE. and for the means of support of a CA that wants to be browser trusted (and that currently is, as per cross-cert) it’s pretty shameful to try to embed non-secure ACTIVE content and what makes it worse, it’s external.

I mean the images are bad enough (as they usually throw a bigger warning than active content coz the browser blocks those initially) but browsers that dont have mixed content handling may get serious problems.


#25

To clarify, that wasn’t an iframe.
That was a bug dumping the whole contents of the page into the post.


#26

let’s look at the code:
<iframe width="600" height="338" frameborder="0" class="wp-embedded-content" scrolling="no" marginheight="0" marginwidth="0" title="Embedded WordPress Post" src="http://thenextweb.com/insider/2016/01/07/lets-encrypts-free-https-certificates-are-already-being-used-to-distribute-malware/embed/" security="restricted" sandbox="allow-scripts"></iframe>
and tell me where this is NOT an iframe?


#27

I think oneboxing is okay, but maybe only with HTTPS pics (or with none at all) and most importantly NO iframing of whole sites