I appreciate you weren't specifically directing this at me, but I can't say I agree with you entirely. Yes, proxying content through HTTPS has nothing to do with security. However, you shouldn't assume this is why people are trying to do it.AmigoJack wrote: ↑Fri Feb 14, 2020 7:49 amTo everyone (not you in particular) who is concerned about security and HTTPS: downloading over HTTP yourself just to present it on your own website via HTTPS has nothing to do with security. And doing it with an executable that you didn't compile yourself is just adding a man in the middle blackbox to that process from which you only assume what it does. If "avoiding mixed content" was all you ever wanted then this approach reveals a questionable understanding of security.
Everything you wrote applies equally to any HTTPS delivering any content. All HTTPS has ever really implied is an secure CONNECTION for end-to-end encryption of communications through that channel. If I connect via HTTPS to a bogus site that steals my data and infects my computer with malware, all I'm doing is securing the connection to the bogus site and the site's content is still bogus. There are all sorts of websites that source external content dynamically, eg RSS feeds etc. You connect to those sites via HTTPS and the website connection from the web server to the external source is still obscured from the end user and could be connected through HTTP.
No one is trying to avoid mixed content warnings for the sake of it. The whole point of avoiding mixed content is that browsers now refuse to display HTTP content on a site connected by HTTPS. As of Chrome version 80 (released this year and soon to be rolled out across all Chrome browsers), Google Chrome will block all such mixed content. Use a Camo Proxy is not done to "secure" insecure content - it is simply a means by which content with a non-secure source will physically display on a phpBB board running in HTTPS.
Nonetheless, I do think a camo proxy for inline images does offer a small degree of additional security, privacy and performance in that:
- I'm going a step further and sticking the camo proxy URL behind Cloudflare. This way there is a reverse proxy running behind a reverse proxy. With strict SSL set up on Cloudflare, only Cloudflare IPs will be able to connect to my camo proxy server (via authenticated origin pulls), plus every image will have the benefit of being cached at edge servers closest to the end-user's location. You can't do any of this if images are hotlinked - you are entirely at the mercy of the origin host.
At the very worst, using a camo proxy is no LESS secure than images being hotlinked in a board via HTTP.
Furthermore, this extension is designed to work alongside v12mike's fetch external images script. If you have run that script successfully (which incidentally also includes mime-type checks to ensure that only files truly matching the image extension are downloaded), the reality is that every single embedded image will actually be hosted on the same server as phpBB. Those images aren't being proxied at all - they are being served directly from the phpBB board. The camo proxy is there to fill in the gaps for any content that the script has not scraped successfully or new content posted by users since the script was last run.
As for using pre-compiled binaries, yes that can be a legitimate concern, but this is reputable open-source software used by thousands of websites.
Among the reputable websites using camo proxies, is GitHub itself (which as you probably know is wholly owned by Microsoft) and this board we are both using right now.
All the 3 camo proxy software packages mentioned in this topic publish their source code and instructions to build the software yourself, together with checksums to verify the downloaded binaries (where offered). In the case of Go-Camo, the binaries are built and pushed to GitHub automatically via GoReleaser (https://github.com/goreleaser/goreleaser). Yes I could learn to build the binaries myself if I could be bothered, but it's a matter of convenience they are made available pre-built and I have zero security concerns about it.
I agree that no one should be under any false sense of security that HTTPS secures anything but the user's connection to a website. However, I think criticism of the concept of camo proxying is unwarranted.