LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

An alleged SSL/TLS protocol vulnerability

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 15:34 UTC (Wed) by butlerm (subscriber, #13312)
In reply to: An alleged SSL/TLS protocol vulnerability by noah123
Parent article: An alleged SSL/TLS protocol vulnerability

That assumes the proxied content has to include Javascript. We would all be better off if advertisements did not. A proper proxy implementation would filter it out.

(Log in to post comments)

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 16:03 UTC (Wed) by andresfreund (subscriber, #69562) [Link]

Possibly one could also proxy every proxied domain to a separate subdomain to avoid that problem.
E.g. example.org.my-https-proxy.example and annoying-advertisement.example.my-https-proxy.example

An alleged SSL/TLS protocol vulnerability

Posted Sep 24, 2011 19:51 UTC (Sat) by butlerm (subscriber, #13312) [Link]

The problem with doing that if that you have separate HTTPS startup latency for every separate ad provider, which on some sites seems to be half a dozen or more. If you can safely proxy advertising content, pages will load much faster.

If advertisers just can't live without Javascript, perhaps the W3C could standardize on a technique to sandbox scripts originating from the same domain, even running on the same page.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds