[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[task #15654] Webpage for videos introducing Maneage
|
From: |
Boud Roukema |
|
Subject: |
[task #15654] Webpage for videos introducing Maneage |
|
Date: |
Sun, 11 Jul 2021 18:48:14 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 |
Follow-up Comment #12, task #15654 (project reproduce):
In commit 1c9e196, we seem to have an _http_ versus _https_ bug/feature. It's
a feature from a security point of view [1][2], but a bug for users in China
(depending on the specific details of the 's' in https used on maneage.org)
[3].
The problem is that if you access the maneage.org webpage as
http://maneage.org instead of https://maneage.org, then the https
peertube.stream server is considered by some browsers (such as firefox) as
incompatible in some way with the non-secure http method for the page as a
whole. The embedded video (after allowing all javascript and so on with
uMatrix or other safe-browsing features) shows an annulus with a rotating
section, against a black background, and continues for some time without
showing the video.
(Mohammad found this bug/feature first. :))
A simple solution for many users would be to force _https_ usage, i.e.
automatically redirect all users trying _http_ to _https_ e.g. something like
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
in apache2.
The problem is that this would block some users in China [3]. China-based
users are already blocked from many particular websites by their own
government [4], which differs from the github situation of blocking users in
some countries/territories in which Microsoft/Github is _not_ based.
There might be a simple hack to cater for both http and https users, but I
haven't thought of how to do it. There's no point having redirection to https
as the default and having an alternative url 'http://plain-http.maneage.org'
(without almost identical content, but without https links) unless users know
where to find it. It would be inelegant to have to give both URLs every time
we point people to the website.
Youtube has no reason to care about user security - all that counts is
retaining political power and advertising funds, so it's unsurprising that we
didn't see this bug/feature with Youtube.
My feeling is that forcing https would be reasonable - given the current world
context of cyber-risks and cyber-education - and we could try to think of a
solution for non-https users later. Currently, almost all of the links on
_index.html_ are _https_ , so in that sense our page is already fairly
unusable to http-only users. Many of these https sites that are not yet
TLS-1.3+ESNI (I didn't check!) will presumably shift to that soon.
[1]
https://security.stackexchange.com/questions/38317/specific-risks-of-embedding-an-https-iframe-in-an-http-page
[2]
https://security.stackexchange.com/questions/894/are-there-security-issues-with-embedding-an-https-iframe-on-an-http-page
[3]
https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni
[4] https://en.wikipedia.org/wiki/List_of_websites_blocked_in_mainland_China
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/task/?15654>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/