Clever Geek Handbook

Mixing safe and untrusted content in a mobile web app

I have a mobile site served by SSL. We need to play some audio files that unfortunately don't play with ssl. If I serve them over http, they play just fine. The thing is, if I go this way, could I compromise the ssl security?

thank

+3


source to share


3 answers


Once you have the resources, the best way to do this is to force your server to receive a request from the user over SSL and then dynamically create a normal HTTP URL from which the client can be redirected to get content. Serve absolutely nothing but audio through this link, and exchange cookies / tokens / keys, etc. Also, if you are using tokens to track the session, be sure to set the secure flag in the cookie so that the user's browser does not execute.Don't transfer the contents of the token unless you are connecting via SSL / HTTPS, otherwise the token will be sent in plain text over HTTP after a redirect. The methods to achieve this vary from platform to platform, otherwise I would provide more specific instructions for this. However, this is quite common, so it is easy to find it.



It can also help your productivity as you will save a lot of server side processing by avoiding SSL encryption. Until the sound is sensitive, this is the way to go. Good luck!

+2


source


First a question. Are you trying to play these audios in your default browser or do you have an application that plays it? (I am assuming that you are using a browser as you cannot change the client side).

It would be helpful if you could give a little more information about your problem. This way people can come up with all the interesting workarounds.

Also, you want to test how the browser will handle it. For example, some browsers complain about things like this (unsafe content). This may be a disable for some users.

I think ssl will survive this (you don't harm it) :) However, this sound will be transparent and open to all kinds of attacks (which ssl prevents). So, the most important question is: do you care.

If you are playing some simple audio effect, you do not have to. If you play proprietary audiobooks, this can be very important to you.



Update 1

One more idea (sorry I can't provide a fully tested solution because I'm out of my depth here).

Have you considered loading that sound with a script (over a secure channel), storing it in local storage (I assume HTML 5 allows it), or erasing it in memory and just from that local storage.

This way you can solve your problem.

0


source


I think it is mostly ok if it cannot run scripts. An attacker could still replace the video, although it could be exploiting a hole in the video decoder or for more mundane phishing. This also means that you are not protecting the privacy of the video.

0


source






More articles:


All Articles