: HTTPS page loading non-https images I have a https site which links to images from a cdn, as well as user-generated image links that are not https. I get errors like this in console:

@Berumen354

Yes it is something you should worry about. Most people will get a big scary warning from their browser that your page is insecure, this will scare away most people from staying on your site. Just automatically make all http links https on your website and the warnings will go away.

Vote Up Vote Down

@Yeniel560

Yes, it matters. When you have content served over plain HTTP in an HTTPS page, the user can't know what's secure and what's not on the page. Therefore, the security of the page can't be ensured.

Never tell your users to turn off these warnings or to ignore them.

See OWASP rule "Do Not Mix TLS and Non-TLS Content":


A page that is available over TLS must be comprised completely of
content which is transmitted over TLS. The page must not contain any
content that is transmitted over unencrypted HTTP. This includes
content from unrelated third party sites.

An attacker could intercept any of the data transmitted over the
unencrypted HTTP and inject malicious content into the user's page.
This malicious content would be included in the page even if the
overall page is served over TLS. In addition, an attacker could steal
the user's session cookie that is transmitted with any non-TLS
requests. This is possible if the cookie's 'secure' flag is not set.
See the rule 'Use "Secure" Cookie Flag'


EDIT:

To elaborate on this, checking that the website uses HTTPS is ultimately the sole responsibility of the user. They must expect HTTPS to be used, and used correctly, otherwise a MITM attacker could downgrade the connection to plain HTTP. (This is why automatic redirections from to are only partly useful; pre-loaded lists of HSTS sites can help.)

To make sure that the content they see is rendered from what the server sent, users must check that HTTPS is used, with the site they intended to visit and never ignore SSL/TLS warnings. This is a GUI problem.

Tolerating mixed content on a page makes it virtually impossible to check what was served over HTTPS and what wasn't. Even developers can struggle to find which resources are loaded over SSL/TLS and which ones aren't.

Resources loaded without HTTPS could have been changed to alter the page (different image, script that performs a different action, ...). In addition, in some cases, session cookies that should only be used in HTTPS will also be used over plain HTTP, allowing the attacker to steal the session (see OSWAP rules).

If you want to use HTTPS, make sure that (a) the user expects HTTPS to be used (that's not really a technical problem) and (b) all resources on the page also use HTTPS.

Vote Up Vote Down