Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL browser warning with commenter images #420

Closed
elliottucker opened this issue Aug 23, 2014 · 8 comments

Comments

Projects
None yet
3 participants
@elliottucker
Copy link

commented Aug 23, 2014

Commenter avatar images appearing on an SSL secured site that link back to a non SSL site will cause browser warnings, i.e, you url ssl lock isn't green.

@benwerd

This comment has been minimized.

Copy link
Member

commented Aug 29, 2014

I'm going to try and push something to deal with this this weekend - right now I'm considering keeping a cache of user icons. All thoughts welcome!

@elliottucker

This comment has been minimized.

Copy link
Author

commented Aug 29, 2014

I think that's how similar solutions with Wordpress work, but does it scale?

@benwerd

This comment has been minimized.

Copy link
Member

commented Aug 30, 2014

It should scale. Avatar images are very small, and if you're dealing with an audience of millions of people, you'll probably have needed to scale your server up anyway.

@mapkyca

This comment has been minimized.

Copy link
Member

commented Aug 31, 2014

My two cents: http://stackoverflow.com/questions/3011222/dealing-with-http-content-in-https-pages
Basically, detect the http request and remap it to load the URL via an interstitial. This will give you the option to cache, and sanitise for various buffer exploit attacks.

@mapkyca

This comment has been minimized.

Copy link
Member

commented Aug 31, 2014

Thinking about this further, I think we absolutely want to be caching remote images locally, regardless of what scheme they're requested via.

Even if it's retrieved over HTTPS, loading remote images provides an extremely easy way for me to spy on your site visitors. All I'd have to do is webmention you from my site with an innocuous comment, referencing a profile icon (which I've configured my web server to serve with expired cache headers). Then, every visit to your site would hit mine, and I'd be able to collect a whole bunch of traffic details.

And, if the resource was requested over vanilla HTTP, I could use that as an attack vector - essentially I could turn your site into a FoxAcid server.

Refs #203

mapkyca added a commit to mapkyca/idno that referenced this issue Sep 2, 2014

@mapkyca

This comment has been minimized.

Copy link
Member

commented Nov 21, 2014

This should have been closed by 93de5c7

@mapkyca

This comment has been minimized.

Copy link
Member

commented Mar 11, 2015

Should be closed. /cc @benwerd

@mapkyca

This comment has been minimized.

Copy link
Member

commented Apr 25, 2015

Bump @benwerd

@benwerd benwerd closed this Jul 28, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.