GlobaLeaks doesn't work in HTTP on Chrome due to missing webCrypto API #2348
Comments
|
@fpietrosanti: this is a know situation due to the missing capability of web crypto in Chrome when it works in HTTP. Actually i find that all the discussed solutions would not work because we decided intentionally to not block the client in this condition in order to allow the user test the platform. I recognize that actually we made te choice of rolling the client browser crypto in a later stage of the project we may remove the need for the support of the browser crypto API and implement the proof of work in Javascript in a webworker as it will be necessary. This would remove the need for printing an error because the platform will work like a charm! |
|
Btw any unhandled error should be handled within a try/catch or equivalent condition, also without going changing how the PoW works, just a quick integrity error checks is a fast fix |
|
@fpietrosanti: got it but here a solution exists and is to make the application work by i implement a fallback of the proof work to use javascript in case webcrypto is not available. mplementing a fallback of the proof work to use javascript in case webcrypto is not available. let's implement the solutions when they exist! remember in fact that our approach is to let users try globaleaks without https and that we want them to be able to test successfully the platform. if you are not anymore of this idea we can deny the whole application and communicate the user the problem (chrome and no https) with a big failure message like the following that would be CRAP! :)
|
|
So, a simple solution is to disable PoW (client-side and server-side) while connection are in HTTP in clear, as it's in-use for demonstrative purpose only |
|
I would not recommend adding if/else condition that based on the availability of HTTP would also disable the proof of work. Chaining a security downgrade to an other security downgrade sounds to me not a viable solution. I'm going to issue a minor patch that in case webcrypto wont be available will use |
|
Patch integrated in devel branch! I will land in 3.3.0 |
evilaliv3
changed the title
Current behavior
Globaleaks, when accessed over HTTP by chrome, doesn't not enable to make a submission leading to an error that, after clicking submit, show only the count-down on the "submit button" without showing the questionnaire.
Expected behavior
GlobaLeaks should work in that condition and, if not possible due to PoW, should trigger an error.
The text was updated successfully, but these errors were encountered: