Internet Explorer has the security setting shown in below screen shot.
My understanding is that "unsecured images" are images that are not transmitted over HTTPS.
What I am curious about is why does this setting specify the blocking of images, as opposed to other possible non-HTTPS content?
Is there some benefit that can be gained by blocking images in particular? Or what is the reasoning behind this setting?
The reasoning behind this is that in most cases, the unsecured content is only ad banners, and will not be of any concern. Thus IE allows insecure images on a otherwise secure page by default.
Note that its NOT possible to run an image as JavaScript or executeable code, so a unsecured image cannot affect the page contents on a otherwise secure page.
Other content however, can modify the content on the page, for example a JavaScript loaded over a unsecured Connection could modify the HTTPS page to for example change the action of a form, and if a hacker then modifies the .js file in transit, then they could possible "subvert" the HTTPS page.
However, there is 2 cases where images still might be a concern:
If the attacker uses digest, he will not be able to gain any password information. So never enter any username or password if the dialog carries the warning above, if you're on a HTTPS site. Only DIGEST+HTTP, BASIC+HTTPS or DIGEST+HTTPS will suppress the warning shown above.
But both these cases is very uncommon, so you can safely keep the setting off (allow load of insecure images on HTTPS pages)
