[123744] in North American Network Operators' Group
Re: security questions
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Mar 15 01:25:59 2010
To: Brandon Kim <brandon.kim@brandontek.com>
In-Reply-To: Your message of "Sat, 13 Mar 2010 22:08:56 -0400."
<SNT119-W48F0FE98D63863C3F02918DC2F0@phx.gbl>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 15 Mar 2010 01:24:50 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1268630690_3993P
Content-Type: text/plain; charset=us-ascii
On Sat, 13 Mar 2010 22:08:56 -0400, Brandon Kim said:
> Some sites use images located at a different webserver that isn't HTTPS,
> and sometimes there are hidden iframes that bring you info from non-secure
> sites. But the actual login is posted to an HTTPS server.
Well... that's almost, but not quite, correct.
The warning is because you may see a padlock displayed because the *outside*
frames are https:// but there are iframes/CSS/images/whatever that have been
fetched via other means - which creates 2 risks:
1) Those elements fetched via http:// traveled in the clear, and were thus
visible to a sniffer. And yes, there's web designers stupid enough to do
captcha graphics and bank records and similar via http://, causing an
information leakage problem going from the site towards the user
2) Given the joys of javascript, etc, there are a number of security issues
with mixed-mode pages. A discussion of some of them is here:
http://code.google.com/p/support/issues/detail?id=3400
Note particularly the injection problem - if you're at a wifi hotspot or
similar, somebody can replace the non-secure parts and suddenly control the
horzontal and vertical on your page, while you still think it's secure.
(Yes they can screw with totally non-secure pages too, but a lot of people
implicitly trust https: more than http:)
--==_Exmh_1268630690_3993P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFLncSicC3lWbTT17ARAhstAJ9JoCTch0Npqihp0ie+aM5oAOPeSQCeLKDu
NmO5LfEoc6qVKglKmUn4YOo=
=cfHG
-----END PGP SIGNATURE-----
--==_Exmh_1268630690_3993P--
