0

What if the majority of the page is served via SSL properly (HTTPS) but there's some stray javascript file that is served unencryped (HTTP)?

What's the risk here? Thanks

knocte
  • 161
  • 7
  • While not necessarily a duplicate, you might find [this answer](http://security.stackexchange.com/questions/258/what-are-the-pros-and-cons-of-site-wide-ssl-https) helpful. – RoraΖ Jan 06 '16 at 17:24
  • that is a question, not an answer :) you forgot the #anchor? ;) – knocte Jan 07 '16 at 02:19

2 Answers2

2

If someone can inject my JavaScript code into the page, for instance by hijacking an unsecured connection, then they can basically take control of entire page.

For instance, let's say you're trying to log in to That Website That Stores All Of Your Personal Information™, but one of the JavaScript files is served over an insecure connection. A rogue employee at your ISP intercepts this one connection, and injects JavaScript code that, when you click the "Log In" button, takes the username and password you entered and sends it to himself. Now he has control over your login information and can potentially steal your identity, based on the information that he can find on your account page (such as full name, address, phone number, last four digits of your credit card number etc.)

Frxstrem
  • 123
  • 4
0

You can get served by a malicious javascript file pretending to be yours - via a man in the middle attack. From there the file may run code that will attack your user: e.g. request the user's password (pretending a re-login request) and send it to another place. And there are more example's.