[whatwg] Mixed content WebSockets: use subprotocols!

Bjoern Hoehrmann derhoermi at gmx.net
Fri Oct 4 10:55:17 PDT 2013

* Nicholas Wilson wrote:
>Currently, Firefox blocks "ws://" connections from HTTPS pages, while
>Chrome doesn't. Ultimately, this needs to be resolved somehow. There
>are legitimate uses of mixed-content WebSocket connections - for
>example, a simple VNC or SSH client in the browser. It is very hard
>for a peer-to-peer application to put certificates on each node for
>TLS ("wss://"), but WebCrypto makes it easy to proper crypto in
>javascript over a raw WebSocket connection.
>Mixed-content blocking is good, and we're suggesting relaxing it. Some
>specific peer-to-peer webapps though have a genuine need for ws://
>from HTTPS pages.

Such as? If it's so easy to do "proper crypto" in client-side scripts,
why does the browser have to secure the HTTP transport? If it doesn't,
you can use 'http' and access 'ws' over it.

Browsers would have to indicate to the user in either case that the
"page" as a whole is insecure. The authors of the "proper crypto" so-
lution might think they've done a good job securing the 'ws' channel,
but the odds are against them and the browser cannot verify anything.

(It would be interesting to know how the peer-to-peer application can
verify that the peer on the other hand is who they claim to be; we can
then replace the CA infrastructure by this new method...)
Björn Höhrmann · mailto:bjoern at hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 

More information about the whatwg mailing list