Security of HTTP based authentication

Smylers Smylers at
Thu Jan 20 10:08:49 GMT 2011

Zbigniew Lukasiak writes:

> On Thu, Jan 13, 2011 at 3:17 PM, Abigail <abigail at> wrote:
> > On Thu, Jan 13, 2011 at 02:09:16PM +0000, Andrew Black wrote:
> > 
> > > I have often wondered about that - what is the risk in mixing HTTP
> > > images and HTTPS text?
> >
> > That would depend on the image, and the request to get that image,
> > wouldn't?
> Let's assume for now that it is about pure design images (or css), the
> same as used on non-authenticated pages.

The correct files may be pure design, but if the HTTP traffic has been
intercepted and malicious files substituted they could be more sinister:
background images or headers could have messages written on them; CSS
could hide relevant page elements, or bring in new content which
misleads users.

Even if you decide you don't care about this for your particular site,
there isn't a way of signalling that to browsers, so they won't show the
full 'this is a secure site' symbol in their interface.

(And apologies for taking a week to reply to this thread.)


More information about the mailing list