security questions

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Mar 15 05:24:50 UTC 2010


On Sat, 13 Mar 2010 22:08:56 -0400, Brandon Kim said:

> Some sites use images located at a different webserver that isn't HTTPS,
> and sometimes there are hidden iframes that bring you info from non-secure
> sites. But the actual login is posted to an HTTPS server.

Well... that's almost, but not quite, correct.

The warning is because you may see a padlock displayed because the *outside*
frames are https:// but there are iframes/CSS/images/whatever that have been
fetched via other means - which creates 2 risks:

1) Those elements fetched via http:// traveled in the clear, and were thus
visible to a sniffer. And yes, there's web designers stupid enough to do
captcha graphics and bank records and similar via http://, causing an
information leakage problem going from the site towards the user

2) Given the joys of javascript, etc, there are a number of security issues
with mixed-mode pages.  A discussion of some of them is here:

http://code.google.com/p/support/issues/detail?id=3400

Note particularly the injection problem - if you're at a wifi hotspot or
similar, somebody can replace the non-secure parts and suddenly control the
horzontal and vertical on your page, while you still think it's secure.
(Yes they can screw with totally non-secure pages too, but a lot of people
implicitly trust https: more than http:)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100315/0e889b7b/attachment.sig>


More information about the NANOG mailing list