Issues with "Use a standard connection" / "Only use a secure https connection"

There are two problems with the HTTP vs. HTTPS setting, one problem with each possible value.

Problem 1 - if you serve all content over HTTPS, and then “story” mode loads content over HTTP, Firefox will refuse to display it unless you whitelist every single page for this purpose individually, which kind of feels like the wrong solution. I imagine other browsers will follow suit.

Problem 2 - if you serve all content over HTTP, the session cookie is unprotected and all you need to hijack the session is that value.

The latter would probably be fine if HTTPS and an additional secure cookie was required to access the account settings / preferences. As it stands, an attacker gaining the session cookie value over HTTP could delete an account, cancel payments, access personal details, etc.

Suggested solution pro: Account details safe, con: additional complexity and additional login required to access settings if you’re using HTTP only mode.

1 Like

So this is a known issue / conundrum, if you search for “mixed content” here (https://getsatisfaction.com/newsblur/…) it’ll show up plenty of other threads about it.

Unfortunately Chrome and IE already have something similar and Firefox recently added it. There have been suggestions that installing a HTTPS everywhere add-on will fix some of the issues but nothing will fix content that is pure HTTP.

Whitelisting NewsBlur to allowed mixed content seems like the lesser of the evils but you can’t even do this in Firefox yet. :frowning: https://bugzilla.mozilla.org/show_bug…

Well, securing access to the more sensitive bits of the site would completely negate the problem. Content of news feeds doesn’t need to be served over HTTPS, and neither does a list of unread items.

The password / account details probably should though, and the only way to securely mix HTTP for content and HTTPS for account maintenance is to have a secondary authentication method, i.e. a secure cookie for account maintenance only. Then at least if an attacker steals your existing auth cookie, all they’re able to do is read your feeds.