User: Password:
Subscribe / Log in / New account

HTTPS Everywhere brings HTTPS almost everywhere

HTTPS Everywhere brings HTTPS almost everywhere

Posted Jul 2, 2010 7:44 UTC (Fri) by paulj (subscriber, #341)
In reply to: HTTPS Everywhere brings HTTPS almost everywhere by Kwi
Parent article: HTTPS Everywhere brings HTTPS almost everywhere

If by "insecure third-party content" it means to include anything that can pull in javascripts, then the damage they can do includes things like "observe what you're doing" and "rewrite your whole page", is it not? I don't know enough about the HTML DOM and CSS, but even just with HTML and CSS you could certainly hide parts of the page, I think.

If the banking page I'm looking at can include javascript that could be modified by 3rd party, then I'd be unhappy if the browser told me the page was secure.

(Log in to post comments)

HTTPS Everywhere brings HTTPS almost everywhere

Posted Jul 3, 2010 11:13 UTC (Sat) by Kwi (subscriber, #59584) [Link]

But you'll be happy when the browser tells you the page is secure, because it only contains https content?

The browser can't give any guarantees about security! It can only guarantee that you're seeing the real website, secure or not.

Once identity has been established, it's completely irrelevant to the user whether all the HTTP requests are secure or not. In either case, the security level is entirely determined by the website, and the user doesn't get a say in the matter. (Okay, client-side vulnerabilities can lower the security, but that's another discussion.)

The warning maintains an illusion that the user has any way to diagnose an insecure website. Sure, the browser warns about this one particular case of reduced security, but has no way of warning about the millions of other potential security problems.

I'm not saying https is useless, far from it. To the website, it's a critical part of the overall security. But to the user, its only role is to verify the identity of the website, which the user may then choose to trust. Nothing else.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds