LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

An alleged SSL/TLS protocol vulnerability

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 1:22 UTC (Wed) by ewen (subscriber, #4772)
In reply to: An alleged SSL/TLS protocol vulnerability by JoeBuck
Parent article: An alleged SSL/TLS protocol vulnerability

Assume everything is insecure if you're getting mixed HTTP/HTTPS. Because, well, it is, given that the HTTP portion could be replaced in transit with anything. As I saw pointed out a little while back, intercepting and replacing the Javascript loaded for, eg, the central copy of JQuery or Google Analytics, on the wire, would give a surprising amount of exploitation reach for not much effort once you're a MITM.

IIRC from a recent security conference talk, browser vendors are already leaning towards just blocking mixed HTTP/HTTPS content. (AFAICR the next Internet Explorer is going to block it, and Chrome/Mozilla are leaning that way once some of the more user-affecting breakage can be cleaned up.) Possibly things like this will push that a step closer. At which point sites with mixed content will have a stronger incentive to Not Do That (tm) -- their site will just not be loadable by more and more modern browsers.

Ewen

(Log in to post comments)

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 4:32 UTC (Wed) by lindahl (subscriber, #15266) [Link]

I would love this solution -- our big problem at blekko with mixed content on our own website is that the 3rd parties that we work with don't have HTTPS for all of their stuff that we use. A browser ban would be perfect for helping us get the point across.

I surveyed a lot of HTTPS websites as part of our HTTPSPreferred(R) feature (mostly banks), and almost half of them threw a mixed http/https warning.

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 7:10 UTC (Wed) by hpro (subscriber, #74751) [Link]

Would an initial approach with the browser declining to fetch any content over HTTP when the page itself is HTTPS not work? Like if an ad image is served HTTP on a HTTPS page, it would just not be loaded.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds