Why load assets such as images, javascript, css etc, over HTTPS? Is it possible for these assets to be tampered with if I use HTTP? The only way I could conceive of tampering with HTTP loaded assets is to ARP poison the network and then inject packets for certain requests, but that kind of goes over my head. Can someone give me a clear example of how/why HTTP can be tampered with?
Asked
Active
Viewed 216 times
1
-
3Why use https for anything if you embed http javascript? – CodesInChaos Dec 26 '13 at 18:04
-
1@CodesInChaos This is like cleaning your dishes, and then right before you serve the meal you go around smearing feces on every dish. – rook Dec 27 '13 at 07:12
2 Answers
6
If you have a https page, but load some assets (JavaScript) over plain http, then:
- Many browsers (recent Chrome versions, maybe also Firefox) won't even load the script by default
- an attacker can intercept the script, and replace it with — for
example — another script that will simply copy the entire
<body>contents of your https page, rendering https useless if the first place. Or they can redirect the visitor to an entirely different, attacker-controlled site. Most visitors wouldn't notice the change in the URL and continue interacting with the attackers site, potentially giving away their password or other sensitive information.
Joel L
- 1,427
- 11
- 12
-
I have noticed that about recent browsers. Caused some very annoying and silent CSS loss for a brief period – OneChillDude Dec 26 '13 at 21:48
2
Anyone that can become a man in the middle can perform http manipulation. Check out mitmproxy for an example of how scripts, css, java applets etc can be inserted into an insecure connection. This is possible because http is a plain text protocol and as such can be manipulated by anyone that controls a transit point on any network used to reach your destination. SSL provides end to end encryption thus mitigating against such an attack. ARP cache poisoning is one way that an attacker that shares a network with you could pull of such an attack. In this type of attack the malicious party sends out arp packets that appear to be from the IP address of the next hop router. It causes your PC to send packets to the attackers machine where they have the ability to intercept and change data in transit. This would allow the attacker the ability to perform such an injection attack on an unsuspecting user. Any router that is between yourself and your destination could perform such an attack as well, but is unlikely unless it has also been infiltrated by an attacker.
Also check out ettercap this tool has been designed to perform ARP attacks and when combined with mitmproxy you can simulate this type of attack rather easily.
Mark S.
- 670
- 4
- 10