User: Password:
Subscribe / Log in / New account

HTTPS Everywhere brings HTTPS almost everywhere

HTTPS Everywhere brings HTTPS almost everywhere

Posted Jul 1, 2010 20:57 UTC (Thu) by Kwi (subscriber, #59584)
Parent article: HTTPS Everywhere brings HTTPS almost everywhere

"[Users] may still see the broken-lock icon in Firefox for some sites, because many services use HTTP servers for some of their own page content (such as images) and to include insecure third-party content."

I wonder why browsers still insist on flagging this behavior as particularly insecure. A https site can be perfectly secure and still reference images on a non-secured HTTP server, while (on the other hand) no amount of cryptography can protect the user if the site is not coded securely.

If my bank chooses to serve up a logo from a non-secured CDN, I'll just have to trust them that this makes sense. Just as I'd have to trust them not to display my card number in 10 feet tall letters on Times Square (can we get a browser warning for that?).

(Log in to post comments)

HTTPS Everywhere brings HTTPS almost everywhere

Posted Jul 2, 2010 7:44 UTC (Fri) by paulj (subscriber, #341) [Link]

If by "insecure third-party content" it means to include anything that can pull in javascripts, then the damage they can do includes things like "observe what you're doing" and "rewrite your whole page", is it not? I don't know enough about the HTML DOM and CSS, but even just with HTML and CSS you could certainly hide parts of the page, I think.

If the banking page I'm looking at can include javascript that could be modified by 3rd party, then I'd be unhappy if the browser told me the page was secure.

HTTPS Everywhere brings HTTPS almost everywhere

Posted Jul 3, 2010 11:13 UTC (Sat) by Kwi (subscriber, #59584) [Link]

But you'll be happy when the browser tells you the page is secure, because it only contains https content?

The browser can't give any guarantees about security! It can only guarantee that you're seeing the real website, secure or not.

Once identity has been established, it's completely irrelevant to the user whether all the HTTP requests are secure or not. In either case, the security level is entirely determined by the website, and the user doesn't get a say in the matter. (Okay, client-side vulnerabilities can lower the security, but that's another discussion.)

The warning maintains an illusion that the user has any way to diagnose an insecure website. Sure, the browser warns about this one particular case of reduced security, but has no way of warning about the millions of other potential security problems.

I'm not saying https is useless, far from it. To the website, it's a critical part of the overall security. But to the user, its only role is to verify the identity of the website, which the user may then choose to trust. Nothing else.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds