From: Simon Ruderich Date: Mon, 9 Dec 2013 20:45:49 +0000 (+0100) Subject: README: Describe another issue of -u. X-Git-Url: https://ruderich.org/simon/gitweb/?a=commitdiff_plain;h=061aa8165e1d74ab90b1fe3b07870536779a67ce;p=tlsproxy%2Ftlsproxy.git README: Describe another issue of -u. --- diff --git a/README b/README index b0124c1..1e1efa7 100644 --- a/README +++ b/README @@ -91,6 +91,11 @@ If you always verify the authentication of the connection this isn't a problem, but if you only check if it's a HTTPS connection then this attack is possible. +Another issue is embedded active content, like JavaScript. If the website +includes data from a different host (e.g. a different sub-domain), for which +tlsproxy has no certificate, then an attacker can MITM that connection and +inject JavaScript with unknown consequences into the browser. + KNOWN ISSUES ------------