|
|
Subscribe / Log in / New account

An alleged SSL/TLS protocol vulnerability

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 6:45 UTC (Wed) by butlerm (subscriber, #13312)
In reply to: An alleged SSL/TLS protocol vulnerability by rickmoen
Parent article: An alleged SSL/TLS protocol vulnerability

Wouldn't it be far superior for websites to proxy all cross-hosted advertising and other content? Then there would be only one HTTPS connection to worry about, instead of half a dozen, each with a substantial HTTPS connection setup time.

to post comments

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 8:18 UTC (Wed) by noah123 (guest, #58540) [Link] (3 responses)

Proxying content should be avoided as it could compromise the Same Origin policy.

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 15:34 UTC (Wed) by butlerm (subscriber, #13312) [Link] (2 responses)

That assumes the proxied content has to include Javascript. We would all be better off if advertisements did not. A proper proxy implementation would filter it out.

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 16:03 UTC (Wed) by andresfreund (subscriber, #69562) [Link] (1 responses)

Possibly one could also proxy every proxied domain to a separate subdomain to avoid that problem.
E.g. example.org.my-https-proxy.example and annoying-advertisement.example.my-https-proxy.example

An alleged SSL/TLS protocol vulnerability

Posted Sep 24, 2011 19:51 UTC (Sat) by butlerm (subscriber, #13312) [Link]

The problem with doing that if that you have separate HTTPS startup latency for every separate ad provider, which on some sites seems to be half a dozen or more. If you can safely proxy advertising content, pages will load much faster.

If advertisers just can't live without Javascript, perhaps the W3C could standardize on a technique to sandbox scripts originating from the same domain, even running on the same page.

An alleged SSL/TLS protocol vulnerability

Posted Sep 22, 2011 13:28 UTC (Thu) by mrshiny (guest, #4266) [Link] (1 responses)

The advertisers want requests directly from the browser because that lets them use cookies and do fingerprinting and other things like that, which can't be done when the ad is proxied by the site. So I doubt most advertisers will go with that.

An alleged SSL/TLS protocol vulnerability

Posted Sep 24, 2011 19:57 UTC (Sat) by butlerm (subscriber, #13312) [Link]

Perhaps that is a hint that what advertisers are doing now is a security violation. In any case, deploying ads using https to half a dozen third party domains is going to be so slow that a lot of people are going to have second thoughts.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds