From b1e8da143edfed6ba26c59d1a83a755e7a8be9a4 Mon Sep 17 00:00:00 2001
From: Bernhard Posselt <dev@bernhard-posselt.com>
Date: Mon, 18 Jan 2016 20:14:43 +0100
Subject: add explanation for mixed passive content

---
 README.md | 42 +++++++++++++++++++++++++++++++++---------
 1 file changed, 33 insertions(+), 9 deletions(-)

(limited to 'README.md')
diff --git a/README.md b/README.md
index d78454aca..c15f85e3d 100644
--- a/README.md
+++ b/README.md
@@ -103,6 +103,35 @@ To receive notifications when a new News app version was released, simply add th
 
 ## FAQ
 
+### My browser shows a mixed content warning (Connection is Not Secure)
+If you are serving your ownCloud over HTTPS your browser will very likely warn you with a yellow warnings sign about your connection not being secure.
+
+Chrome will show no green HTTPS lock sign, Firefox will show you the following image
+![Mixed Passive Content](https://ffp4g1ylyit3jdyti1hqcvtb-wpengine.netdna-ssl.com/security/files/2015/10/mixed-passive-click1-600x221.png)
+
+Note that this warning **is not red and won't block the page like the following images** which signal **a serious issue**:
+
+![Untrusted Cert](http://www.inmotionhosting.com/support/images/stories/website/errors/ssl/chrome-self-signed-ssl-warning.png)
+![Mixed Active Content](http://www.howtogeek.com/wp-content/uploads/2014/02/650x367xchrome-mixed-content-https-problem.png.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.r_lQiZiq38.png)
+
+**What is the cause of the (yellow) error message**
+This warning is caused by [mixed passive content](https://developer.mozilla.org/en/docs/Security/MixedContent) and means that your page loads resources from non HTTPS resources, such as:
+* Images
+* Video/Audio
+
+This allows a possible attacker to perform a MITM (man-in-the-middle) attack by serving you different images or audio/video.
+
+**Why doesn't the News app fix it**
+The News app fully prevents mixed **active** content by only allowing HTTPS iframes from known locations; other possible mixed active content elements such as \<script> are stripped from the feed. Because images and audio/video are an integral part of a feed, we can not simply strip them.
+
+Since an attacker can not execute code in contrast to mixed active content, but can only replace images in your feed reader, this is **not considered to be a security issue**. If, for whatever reason, this is a security problem for you, contact the specific feed provider and ask him to serve his feed content over HTTPS.
+
+**Why don't you simply use an HTTPS image/audio/video proxy**
+For the same reason that we don't add an HTTPS proxy for websites: It does not fix the underlying issue but only silences it. If you are using an image HTTPS proxy, an attacker can  simply MITM your image proxy. **Even worse**: if your image proxy serves these images from the same domain as your ownCloud installation you [are vulnerable to XSS via SVG images](https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf). Since most people don't understand mixed content and don't have two domains and a standalone server for the image proxy, it is very likely that by offering the image proxy option we will actually make people's installation more insecure than before.
+
+The only fix for this issue is that feed providers serve their content over HTTPS.
+
+
 ### I am getting Exception: Some\\Class does not exist erros in my owncloud.log
 This is very often caused by missing or old files, e.g. by failing to upload all of the News app' files or errors during installation. Before you report a bug, please recheck if all files from the archive are in place and accessible.
 
@@ -133,7 +162,10 @@ Check the **owncloud/data/owncloud.log** for hints why it failed. After the issu
 ### Adding feeds that use self-signed certificates
 If you want to add a feed that uses a self-signed certificate that is not signed by a trusted CA the request will fail with "SSL certficate is invalid". A common solution is to turn off the certificate verification **which is wrong** and **makes your installation vulnerable to MITM attacks**. Therefore **turning off certificate verification is not supported**.
 
-If you have control over the feed in question, consider signing your certificate for free using [StartSSL](https://www.startssl.com/) or wait until September when [letsencrypt.com](http://letsencrypt.com/) goes online.
+If you have control over the feed in question, consider signing your certificate for free on one of the following providers:
+* [letsencrypt.com](http://letsencrypt.com/)
+* [StartSSL](https://www.startssl.com/)
+* [WoSign](https://www.wosign.com/)
 
 If you do not have control over the chosen feed, you should [download the certificate from the feed's website](http://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file) and [add it to your server's trusted certificates](https://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/). The exact procedure however may vary depending on your distribution.
 
@@ -162,11 +194,3 @@ exploreUrl =
 * **feedFetcherTimeout**: Maximum number of seconds to wait for an RSS or Atom feed to load. If a feed takes longer than that number of seconds to update, the update will be aborted
 * **useCronUpdates**: To use a custom update/cron script you need to disable the cronjob which is run by ownCloud by default by setting this to false
 * **exploreUrl**: If given that url will be contacted for fetching content for the explore feed
-
-Translations
-------------
-For translations in other languages than English, we rely on the [Transifex](https://www.transifex.com/) platform.
-
-If you want to help with translating the app, please do not create a pull request. Instead, head over to https://www.transifex.com/projects/p/owncloud/resource/news/ and join the team of your native language.
-
-If approved, the translation will be automatically ported to the code within 24 hours.
-- 
cgit v1.2.3

