An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 15:34 UTC (Wed) by butlerm (subscriber, #13312)
In reply to: An alleged SSL/TLS protocol vulnerability by noah123
Parent article: An alleged SSL/TLS protocol vulnerability

That assumes the proxied content has to include Javascript. We would all be better off if advertisements did not. A proper proxy implementation would filter it out.

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 16:03 UTC (Wed) by andresfreund (subscriber, #69562) [Link] (1 responses)

Possibly one could also proxy every proxied domain to a separate subdomain to avoid that problem.
E.g. example.org.my-https-proxy.example and annoying-advertisement.example.my-https-proxy.example

An alleged SSL/TLS protocol vulnerability

Posted Sep 24, 2011 19:51 UTC (Sat) by butlerm (subscriber, #13312) [Link]

The problem with doing that if that you have separate HTTPS startup latency for every separate ad provider, which on some sites seems to be half a dozen or more. If you can safely proxy advertising content, pages will load much faster.

If advertisers just can't live without Javascript, perhaps the W3C could standardize on a technique to sandbox scripts originating from the same domain, even running on the same page.