Embedded content fails silently

[tz1]

I reported this in an earlier email and I think it is a problem in Firefox more than Perspectives (I have filed a bug at mozilla.org).

I've disabled all CAs. Even github uses multiple links (https://assets[0123].github.com now, but was assets[].s3.amazon.com or something else) which would not trigger Perspective's logic, or it would fail and not load/run the javascript, CSS, or image.

If it doesn't validate ALL content, it might be possible to bypass Perspectives by simply injecting javascript and CSS with a bogus location and certificate which firefox itself would not detect (flaw, self-CA, wiretap, etc. that was valid according to the base CA) and would use it to cover up or replace the original page content with something else. If the bogus javascript could rewrite the page content completely, it doesn't matter if the original was valid.

[danwent]

Hi again tz1. Is this different than what we discussed in issue #14?

Firefox definitely has an odd/broken model, though I had thought at one point there might be a way for us to track embedded domains as well (as described in #14). Still haven't had any time to look at this though :(

[tz1]

It is probably a duplicate but with a different import.

Perspectives provides NO protection against any embedded items - since I have CAs turned off, pages break but if CAs are turned on it will use Firefox's CAs bypassing Perspectives. And no warnings or indications that it is happening.

For me (no trusted CAs), pages break quietly - no image, no javascript, etc. so there will be breakage but it might not be immediately noticeable. (github is one where it is very noticeable - it seems to use godaddy so you might try disabling that CA). For everyone else who leaves CAs enabled, anything not part of the main URL (or an iframe) bypasses perspectives and works or shows up silently.

Feel free to merge #14 and this - but I'm just noting the implications of the flaw are more serious if CAs aren't disabled.