Security of HTTP based authentication
Smylers
Smylers at stripey.com
Thu Jan 20 10:08:49 GMT 2011
Zbigniew Lukasiak writes:
> On Thu, Jan 13, 2011 at 3:17 PM, Abigail <abigail at abigail.be> wrote:
>
> > On Thu, Jan 13, 2011 at 02:09:16PM +0000, Andrew Black wrote:
> >
> > > I have often wondered about that - what is the risk in mixing HTTP
> > > images and HTTPS text?
> >
> > That would depend on the image, and the request to get that image,
> > wouldn't?
>
> Let's assume for now that it is about pure design images (or css), the
> same as used on non-authenticated pages.
The correct files may be pure design, but if the HTTP traffic has been
intercepted and malicious files substituted they could be more sinister:
background images or headers could have messages written on them; CSS
could hide relevant page elements, or bring in new content which
misleads users.
Even if you decide you don't care about this for your particular site,
there isn't a way of signalling that to browsers, so they won't show the
full 'this is a secure site' symbol in their interface.
(And apologies for taking a week to reply to this thread.)
Smylers
--
http://twitter.com/Smylers2
More information about the london.pm
mailing list