Encrypted pages with unencrypted content

[Nicholas Leippe]

On Friday 17 August 2007, Hill, Greg wrote:

[snip]

> That redirected me to an https site, with images and javascript on
> regular http.  How is that a security risk, exactly?  I've always
> wondered why those messages even exist.

It's a security risk because the urls themselves could contain sensitive data 
obtained from the https connection of the page itself.

<img src="http://mysite/getimage_via_secret_key?key=my_secret">