Encrypted pages with unencrypted content

Topher javert42 at cs.byu.edu
Fri Aug 17 11:25:40 MDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hill, Greg wrote:
>> Can you give me a list of any pages that serve up both encrypted and
>> unencrypted content?  I'm doing a little work on analyzing BYU's poor
>> security for its website, and I want to know how prevalent this
> practice
>> is.
> 
> If you're referring to the IE "error" message, it simply means you have
> an image or other file embedded in the page that isn't on https.
> 
>> For an example of what I'm thinking of, try: http://ry.byu.edu/
> 
> 
> That redirected me to an https site, with images and javascript on
> regular http.  How is that a security risk, exactly?  I've always
> wondered why those messages even exist.
> 
> Greg

The biggest problem I see with this is that malicious javascript could
be injected into the script files coming over plain HTTP.  I don't have
a proof of concept for this yet, but I believe that with the appropriate
code injected, you could steal a password from somebody using the form
(in the case of http://ry.byu.edu).

In my opinion it's seriously bad form to have mixed content like that.
It forces the user to find out what exactly is being sent over HTTP in
order to be sure if the page is safe to use.  I understand that images
are safe to send, but I don't want to have to check that images are all
I'm getting over HTTP.


- --
Topher Fischer
GnuPG Fingerprint: 3597 1B8D C7A5 C5AF 2E19  EFF5 2FC3 BE99 D123 6674
javert42 at cs.byu.edu | http://www.thetopher.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGxdnFL8O+mdEjZnQRAufQAJ4q0z/TQmqdcpY31dL7D8ykuuIX1wCdH2lZ
93TvBCLKOGW2pCC7/S6WqK0=
=0Gfj
-----END PGP SIGNATURE-----



More information about the PLUG mailing list