Mobile app version of vmapp.org
Login or Join
Chiappetta492

: How can mixed content compromise an entire HTTPS session? Google Chrome is probably one of the stricter browsers out there in terms of highlighting SSL errors. Most browsers will point out when

@Chiappetta492

Posted in: #GoogleChrome #Https #MixedContentSecurity #Security

Google Chrome is probably one of the stricter browsers out there in terms of highlighting SSL errors.

Most browsers will point out when you are viewing an HTTPS page which loads insecure images/Javascript, I understand how this is a security issue - an attacker could have modified the non-SSL content in a way which gives them access to the secure content, injected some javascript for example.

However once you have viewed an HTTPS page with mixed content, Google Chrome will continue showing you the mixed content warning (a red line through the 'https://') for as long as you stay browsing the same domain, even for subsequent pages which only include other HTTPS resources. Only once you navigate to another domain, or open a fresh tab does it tell you you're secure again.

What is the danger it's protecting you from here? How could mixed content on a previous page actually affect the security of subsequent secured pages? I understand that mixed content should be flagged up, but there must be a specific reason that Google is persisting this warning, other than "Well you still need to know about it"

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Chiappetta492

1 Comments

Sorted by latest first Latest Oldest Best

 

@Murphy175

The biggest problem in using mixed content is, that (without preventing it explicitely) cookies are sent to both requests. That means, a session cookie which should be used with a secure HTTPS connection, will be sent also to an unsecure HTTP page request, or even for a request of a picture.

If an attacker can read this session cookie, he can access the site with the same priviledges as you do (if you are logged in, he is logged in as well). It doesn't help that you are switching back to HTTPS only, because the session is already hijacked.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme