: Is it really a security problem to have non secure assets on an ssl page? My understanding is that this is just an example of being overly cautious, but if my checkout form contains an unsecure

@Deb1703797

A “mixed scripting” vulnerability is caused when a page served over HTTPS loads a script, CSS, or plug-in resource over HTTP. A man-in-the-middle attacker (such as someone on the same wireless network) can typically intercept the HTTP resource load and gain full access to the website loading the resource. It’s often as bad as if the web page hadn’t used HTTPS at all.

googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-scripting.html

Security researchers and many web developers understand and articulate the threat well. There are 3 easy steps to attack the user through a mixed content vulnerability…

1) Set-up a Man-in-the-Middle attack. These are most easily done on public networks such as those in coffee shops or airports.

2) Use a mixed content vulnerability to inject a malicious javascript file. Malicious code will run in an HTTPS website that the user browsers to. The key point is that the HTTPS site has a mixed content vulnerability on it, which means that it executes content downloaded over HTTP. This is where the Man-in-the-Middle attack and Mixed Content vulnerability combine into a dangerous scenario.

“If some attacker is able to either tamper with Javascript or stylesheet files he can effectively also tamper with the other content on your page (e.g. by modifying the DOM ). So it’s either all or nothing. Either all of your elements are served using SSL, then you are secure. Or you load some Javascript or stylesheet files from a plain HTTP connection, then you aren’t secure anymore.”- me

3) Steal the user’s identity (or do other bad things).

ie.microsoft.com/testdrive/Browser/MixedContent/Default.html?o=1
Related question: stackoverflow.com/questions/3778819/browser-mixed-content-warning-whats-the-point

Vote Up Vote Down