[3.2][3.3][BETA] Image Redirect

A place for Extension Authors to post and receive feedback on Extensions still in development. No Extensions within this forum should be used within a live environment!
Get Involved
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: Extensions Development rules

IMPORTANT FOR NEEDED EVENTS!!!
If you need an event for your extension please read this for the steps to follow to request the event(s)
KYPREO
Registered User
Posts: 307
Joined: Fri Feb 02, 2018 9:56 am
Contact:

Re: [3.2][3.3][BETA] Image Redirect

Post by KYPREO »

Update: running Go-Camo instead of the Atmos Camo on Node.JS is working flawlessly. I have full SSL running on a test site in Windows 10 with IIS10 and there are not mixed content warnings. 8-) With this, I now finally have the confidence to convert my site to HTTPS. Once I tune the operation of Go-Camo as a windows service on my live board, I will write up some instructions.
AmigoJack wrote:
Fri Feb 14, 2020 7:49 am
KYPREO wrote:
Thu Feb 13, 2020 10:29 pm
pre-compiled binaries
To everyone (not you in particular) who is concerned about security and HTTPS: downloading over HTTP yourself just to present it on your own website via HTTPS has nothing to do with security. And doing it with an executable that you didn't compile yourself is just adding a man in the middle blackbox to that process from which you only assume what it does. If "avoiding mixed content" was all you ever wanted then this approach reveals a questionable understanding of security.
I appreciate you weren't specifically directing this at me, but I can't say I agree with you entirely. Yes, proxying content through HTTPS has nothing to do with security. However, you shouldn't assume this is why people are trying to do it.

Everything you wrote applies equally to any HTTPS delivering any content. All HTTPS has ever really implied is an secure CONNECTION for end-to-end encryption of communications through that channel. If I connect via HTTPS to a bogus site that steals my data and infects my computer with malware, all I'm doing is securing the connection to the bogus site and the site's content is still bogus. There are all sorts of websites that source external content dynamically, eg RSS feeds etc. You connect to those sites via HTTPS and the website connection from the web server to the external source is still obscured from the end user and could be connected through HTTP.

No one is trying to avoid mixed content warnings for the sake of it. The whole point of avoiding mixed content is that browsers now refuse to display HTTP content on a site connected by HTTPS. As of Chrome version 80 (released this year and soon to be rolled out across all Chrome browsers), Google Chrome will block all such mixed content. Use a Camo Proxy is not done to "secure" insecure content - it is simply a means by which content with a non-secure source will physically display on a phpBB board running in HTTPS.

Nonetheless, I do think a camo proxy for inline images does offer a small degree of additional security, privacy and performance in that:
- the camo proxy software has (among other things) an inbuilt mime-type check that will block requests to content with non-confirming mime-types. That is, if you are proxying an inline jpg and the origin server returns HTML or Javascript, the content will be blocked.
- in ordinary non-secure HTTP connection to hotlinked images, the end-user is forming a direct connection with the origin server, allowing it to log IP addresses. This is being done without the express consent of the end-user and thereby potentially contravenes the phpBB board's privacy policy (depending on the terms of that particular board's privacy policy). With a camo proxy, no headers from the end user of phpBB are passed to the origin server. The origin server only knows that it is connecting to the image camo proxy.
- I'm going a step further and sticking the camo proxy URL behind Cloudflare. This way there is a reverse proxy running behind a reverse proxy. With strict SSL set up on Cloudflare, only Cloudflare IPs will be able to connect to my camo proxy server (via authenticated origin pulls), plus every image will have the benefit of being cached at edge servers closest to the end-user's location. You can't do any of this if images are hotlinked - you are entirely at the mercy of the origin host.

At the very worst, using a camo proxy is no LESS secure than images being hotlinked in a board via HTTP.

Furthermore, this extension is designed to work alongside v12mike's fetch external images script. If you have run that script successfully (which incidentally also includes mime-type checks to ensure that only files truly matching the image extension are downloaded), the reality is that every single embedded image will actually be hosted on the same server as phpBB. Those images aren't being proxied at all - they are being served directly from the phpBB board. The camo proxy is there to fill in the gaps for any content that the script has not scraped successfully or new content posted by users since the script was last run.

As for using pre-compiled binaries, yes that can be a legitimate concern, but this is reputable open-source software used by thousands of websites.
Among the reputable websites using camo proxies, is GitHub itself (which as you probably know is wholly owned by Microsoft) and this board we are both using right now.

All the 3 camo proxy software packages mentioned in this topic publish their source code and instructions to build the software yourself, together with checksums to verify the downloaded binaries (where offered). In the case of Go-Camo, the binaries are built and pushed to GitHub automatically via GoReleaser (https://github.com/goreleaser/goreleaser). Yes I could learn to build the binaries myself if I could be bothered, but it's a matter of convenience they are made available pre-built and I have zero security concerns about it.

I agree that no one should be under any false sense of security that HTTPS secures anything but the user's connection to a website. However, I think criticism of the concept of camo proxying is unwarranted.
phpBB user since 2002
www.AusRotary.com

User avatar
AmigoJack
Registered User
Posts: 5697
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: [3.2][3.3][BETA] Image Redirect

Post by AmigoJack »

KYPREO wrote:
Sat Feb 15, 2020 4:54 am
You connect to those sites via HTTPS and the website connection from the web server to the external source is still obscured from the end user and could be connected through HTTP.
That's the very point I mentioned earlier. That's also the point of HTTPS securing the connection, not the content: in consuming only HTTPS from one website I have no hint to see what is done under the hood - I rather opt to get mixed content or only HTTP resources (instead of proxied content) because then I at least know the connection is unsafe at some point. Proxying the last mile obfuscates this - that's the point, and you are aware of it. Not accessing resources directly of course also has its benefits (IP address, fingerprinting...).
KYPREO wrote:
Sat Feb 15, 2020 4:54 am
No one is trying to avoid mixed content warnings for the sake of it. The whole point of avoiding mixed content is that browsers now refuse to display HTTP content on a site connected by HTTPS.
To me this is the same: people bend for what Google defines as secure.
KYPREO wrote:
Sat Feb 15, 2020 4:54 am
an inbuilt mime-type check that will block requests to content with non-confirming mime-types
Nice. Unless it disregards HTTP statuses returned: if the source says 404 or 410 then the mime-type will differ, but just blocking this instead of carrying over that information would be counter productive IMO.
KYPREO wrote:
Sat Feb 15, 2020 4:54 am
At the very worst, using a camo proxy is no LESS secure than images being hotlinked in a board via HTTP.
That's where I disagree: you as the owner of the website might know what actually comes in via HTTP, but once you use other websites you have no way to tell to what extent a connection was secure. Sticking together 2 connections (one unsafe, then secured) still doesn't make it completely secure - the man in the middle is now the (endpoint) website owner, as the connection is now broken up by (the proxy) design.
KYPREO wrote:
Sat Feb 15, 2020 4:54 am
this is reputable open-source software used by thousands of websites
The majority of people also uses Wordpress and CISCO products, despite all the ongoing security holes over decades. No, being used by many is no hint of quality to me, as per experience. :cry:
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

v12mike
Registered User
Posts: 453
Joined: Thu Jul 09, 2015 5:03 pm

Re: [3.2][3.3][BETA] Image Redirect

Post by v12mike »

KYPREO wrote:
Sat Feb 15, 2020 4:54 am
Update: running Go-Camo instead of the Atmos Camo on Node.JS is working flawlessly. I have full SSL running on a test site in Windows 10 with IIS10 and there are not mixed content warnings. 8-) With this, I now finally have the confidence to convert my site to HTTPS. Once I tune the operation of Go-Camo as a windows service on my live board, I will write up some instructions.
Congratulations. I am sure that someone will appreciate more dtails of how to get this working reliably on IIS.

AmigoJack wrote:
Sat Feb 15, 2020 9:32 am
KYPREO wrote:
Sat Feb 15, 2020 4:54 am
an inbuilt mime-type check that will block requests to content with non-confirming mime-types
Nice. Unless it disregards HTTP statuses returned: if the source says 404 or 410 then the mime-type will differ, but just blocking this instead of carrying over that information would be counter productive IMO.
It does take HTTP status into account as well as mime type.

Post Reply

Return to “Extensions in Development”