Security of HTTP based authentication

Bruce Richardson itsbruce at
Thu Jan 13 15:06:09 GMT 2011

On Thu, Jan 13, 2011 at 02:13:12PM +0000, Roger Burton West wrote:
> On Thu, Jan 13, 2011 at 02:09:16PM +0000, Andrew Black wrote:
> >I have often wondered about that - what is the risk in mixing HTTP
> >images and HTTPS text?
> Leakage of Referer: header?

Theoretically, it could be used to attack the encryption of the HTTPS
channel.  The url of the image will be present both in the plain text
requests to the image server and the encrypted page content that was
sent to the user.  This provides the basis for a known plaintext attack.


It is impolite to tell a man who is carrying you on his shoulders that
his head smells.

More information about the mailing list