Could https be enabled for tickets.musicbrainz.org?


#1

Subject says it all, basically. Is there a blocker except lack of round tuits?

My motivation is that I use torbrowser almost exclusively, and going to a site that absolutely needs JavaScript over http via Tor is a bit too dangerous for me.

I would be really grateful…


#2

For my information, why is it more dangerous than the same JavaScript code in HTTS?


#3

MBH-393 is the ticket tracking this. I don’t know if @Zas has any comments on this, maybe?


#4

The S in HTTPS is for SSL, which is used not only to encrypt the traffic between the server and the client (so middlemen can’t see what is being transferred), but also to verify that the content sent from the server was actually sent from that server, preventing men-in-the-middle from injecting their own arbitrary JavaScript (or other) code in the content being sent to the client. (Well, not preventing, but letting the client know that the content has been tampered with somewhere between having been sent from the server and arriving at the client.)

See also:


#5

As Freso said: with plain HTTP, someone on the path may inject malicious JavaScript … and JS is one of the top attack vectors in browsers.

So to not get bad JS …
… with HTTPS, you have to trust the website (and its ad networks)
… with HTTP, you have to trust your ISP (and its ISP, etc.) as well
… with HTTP over Tor, you have to trust a random stranger and its ISP (but not yours)

(I’ll leave the CA ecosystem can-of-worms closed for the moment.)