3

My (not so small) bank has a website for doing transactions over the internet, and it has an HTTPS website for it. But my Firefox 29 wrote that the website is just partially encrypted. I did a little search with Wireshark and found out that there is only one element using HTTP (and not HTTPS): 

<script type="text/javascript" src="/static/portal/impl/j/jwplayer.js" charset="utf-8">

and this .js file uses/downloads via HTTP (I can see it in the about:cache): 

http://l.longtailvideo.com/download/5/10/logo.png

So if I want to log into my bank's website to send money to someone, I have to use a website that is only partially encrypted because of that .png file.

My question: Isn't this dangerous? If there is an element on the HTTPS website that is downloaded via HTTP, then it's possible to do "bad things", no? For example, can someone on my LAN replace that .png file with a javascript or some other malicious stuff?

TildalWave
  • 10,801
  • 11
  • 45
  • 84
user45818
  • 31
  • 2

2 Answers2

3

The non-SSL download incurs the theoretical (and also practical) risk of being intercepted by an active attacker, who will make "something else" with it.

Javascript, by itself, cannot do downloads from outside of its own domain; that is the point of the Same-Origin Policy. Since the Javascript is loaded from the bank domain (foo.com) but the download is from l.longtailvideo.com, then one must assume that the Javascript instructed the browser to do the download, most probably by inserting an <img> tag in the page HTML.

Browsers are, generally speaking, quite well protected against malicious pictures; otherwise, you would get hacked when you do Google searches or access various forums, because in many forums one can embed links to external pictures.

In your case, the picture is the logo for a video player in Javascript/Flash (depending on what the browser can do); I think it is this one, although maybe an older version because their logo appears to have changed. This blog post indirectly tells us that the player with the logo you observe was the "latest version" more than two years ago.

What is the worst that could happen ? I suppose that the logo is displayed somewhere on the page. An industrious attacker could replace the logo contents with a picture of his own, possibly a bigger picture which would disrupt the page layout.

There are worse things, though. The attacker could return a HTTP "redirect" to make your browser send a GET request to any arbitrary other URL. You will probably find this past question interesting: it discusses what could happen with an <img> tag pointing to an attacker-controlled server. That applies to your case.

Anyway, the mere fact that your browser warns you is a bad thing: either the warning is important, and that's a security alert which should be treated as such; or the warning is spurious, and it trains the user into ignoring security warnings, which is not good at all in the long term.

Community
  • 1
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • → Tom: How would you deal an E-mail which would be "partially" crypted? What level of trust would you give to such a "partially" protected communication? – dan May 01 '14 at 23:39
1

Yes it is dangerous. HTTPS provides end-to-end encryption, e.g. protects against a man-in-the-middle sniffing or worse manipulating the data. Consider the case where a javascript resource gets loaded over HTTP-only and the attacker can replace it with something else: thus the attacker might circumvent any security protections the website has by simply reading and writing the existing content.

To protect the user against this case most modern browsers work around these broken sites by rejecting HTTP-only resources on HTTPS sites, but older do not.

Apart from that, you better ask yourself if you still trust a bank to maintain the necessary security for online banking if they do not get this basic stuff right.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424