-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
potential issues with https sites / https gateway #19
Comments
In Ideal world, the addon should white-list local gateway URL/domain so that mixed-content is accepted for localhost connections. Done. Sadly, Firefox only enables user to disable this protection globally: Right now we can solve this for all browsers by putting HTTPS-enabled reverse proxy in front of go-ipfs (eg. nginx), but this requires additional setup. Including @dylanPowers, as this probably impacts ipfs-chrome-extension too. |
Hmm... wouldn't a self-signed cert still require the user to manually accept the cert within Firefox? Or can/should we do that programmatically? One idea that I had was to setup an |
|
humm... so if i create a clone site from bigbank.com, put it in ipfs, you will be able to see a "https" enabled phishing site |
Yes, but you can do the same in pure HTTP: trusting IPFS HTTP gateway is.. a gateway. HTTPS was not designed with IPFS in mind, and using TLS with gateway does not provide any authentication, only basic encryption. IMO authentication is provided by IPFS: hash of the root element in IPNS resource does match the one in DNS TXT record. |
@lidel: using HTTPS with an IPFS gateway is still a good idea, because it prevents people from listening in on your connection and recording your browsing history. IPFS already prevents them from modifying data in-transit, so it's not quite as useful, but if you're actually passing over a network (not just connecting to localhost) then it's a good idea to have HTTPS. @danielmotaleite: If bigbank.com was an IPFS-based site (designed to be immutable and fully separated from the banking API that it uses), it wouldn't matter which domain you host it on... Unless the site uses relative links: those could break or point to unintended resources when the domain is changed. But besides that, you would be able to ensure that you have a valid copy of the banking site, no matter who you get it from, just by checking the hash. |
With custom protocols (#70, #48) we could add the necessary flag to allow embedding: Also left a note in protocols.js |
Closing this one, we continue the "HTTP/HTTPS mixed-content" discussion in: |
When this is used with an https site & https gateway, it throws a mixed content error, like:
...Since localhost is on http. Obviously loading from localhost via http is fine, since it never actually goes over the network, but firefox will throw an error anyway.
Also, this isn't an error with the current version, but rather a problem that arises if it is modified and a gateway other than
http://gateway.ipfs.io
is used, or ifgateway.ipfs.io
supports https in the future.The text was updated successfully, but these errors were encountered: