Encrypted pages with unencrypted content
javert42 at cs.byu.edu
Fri Aug 17 11:25:40 MDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hill, Greg wrote:
>> Can you give me a list of any pages that serve up both encrypted and
>> unencrypted content? I'm doing a little work on analyzing BYU's poor
>> security for its website, and I want to know how prevalent this
> If you're referring to the IE "error" message, it simply means you have
> an image or other file embedded in the page that isn't on https.
>> For an example of what I'm thinking of, try: http://ry.byu.edu/
> regular http. How is that a security risk, exactly? I've always
> wondered why those messages even exist.
be injected into the script files coming over plain HTTP. I don't have
a proof of concept for this yet, but I believe that with the appropriate
code injected, you could steal a password from somebody using the form
(in the case of http://ry.byu.edu).
In my opinion it's seriously bad form to have mixed content like that.
It forces the user to find out what exactly is being sent over HTTP in
order to be sure if the page is safe to use. I understand that images
are safe to send, but I don't want to have to check that images are all
I'm getting over HTTP.
GnuPG Fingerprint: 3597 1B8D C7A5 C5AF 2E19 EFF5 2FC3 BE99 D123 6674
javert42 at cs.byu.edu | http://www.thetopher.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the PLUG