GNU bug report logs -
#11788
url-http does not properly handle https over proxy
Previous Next
Full log
View this message in rfc822 format
Eli Zaretskii writes:
>> From: lo2net <fangtao0901 <at> gmail.com>
>> Cc: Lars Ingebrigtsen <larsi <at> gnus.org>, schwab <at> linux-m68k.org,
>> ivan <at> siamics.net, 11788 <at> debbugs.gnu.org
>
>> Date: Thu, 31 Dec 2015 00:16:03 +0800
>>
>> >> Do you have FSF copyright assignments for Emacs on file?
>> >
>> > There's no assignment on file under the name lo2net <fangtao0901 <at> gmail.com>.
>>
>> What should I do next so this bug can be fixed ASAP? Although I've just
>> read http://www.gnu.org/software/emacs/CONTRIBUTE, but I still can't figure
>> out. Should I email request-assign.future to assign <at> gnu.org now?
>
> Form sent off-list.
Any news on the assignment?
I've stumbled upon this bug today, and IMHO this is actually pretty
serious. It should definitely be fixed for Emacs 25.1.
It would be OK if https over a proxy simply fails; what I've seen
however is that the proxy connects to the requested host via Port 80
instead (meaning plain http). When a site publishes the same content
over https as well as http, the user is led to believe that she
communicates over an secure channel, when in fact everything is
communicated over plain http. For instance, when I do
M-x eww RET https://www.google.de RET
Emacs will connect to the configured proxy and use a GET request:
GET https://www.google.de/ HTTP/1.1
...
At least the two proxies I tested with (CYAN, tinyproxy) will ignore the
'https' part and send a GET request to www.google.de on Port 80
instead. In effect, Eww will succesfully display the Google web site,
showing 'https://www.google.de' in its URL bar, while in fact everything
I now enter is send over plain http without encryption.
-David
This bug report was last modified 8 years and 228 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.