0

I'm aware that, essentially, https encrypts data being sent and received so it seems to me that nothing is compromised except the data being sent to or from http, but this question is more for clarification, so does having content served over http make other data insecure? For example, if I'm requesting public images over http on my server with SSL, am I compromising anything else besides the data of those images and the privacy that a user is viewing this data?

DJSweetness
  • 35
  • 7
  • 1
    Other data *on the same page*, or more generally? An image loaded via HTTP on a HTTPS page could be swapped out for a different image, which might be a problem if your neighbor's face shows up on the FBI's Most Wanted list. A JavaScript asset loaded via HTTP could be MITMed to send the page's HTML to an attacker. – ceejayoz Nov 21 '17 at 19:49
  • Both I suppose. My site is pulling images from a site with no ssl, but also pulls user information from another one of my other servers, but all of mine have SSL. – DJSweetness Nov 21 '17 at 19:50
  • In Chrome, the non-SSL images simply aren't going to load if they're on a HTTPS page. – ceejayoz Nov 21 '17 at 19:51
  • Wow. Okay, so basically I NEED to request everything from servers with SSL? @ceejayoz – DJSweetness Nov 21 '17 at 19:53
  • If the page is HTTPS, everything on it should also be HTTPS. Images, JavaScript, iframes, etc. – ceejayoz Nov 21 '17 at 19:54

1 Answers1

1

Chrome and Firefox (I can't speak to Safari and IE, they might as well) block mixed-content on a HTTPS page.

If the page's URL has https as the scheme, all assets on that page must be loaded via HTTPS. Images, fonts, JavaScript, iframes - if it's not HTTPS, it won't show up.

It's for the user's protection. There are a variety of potential attacks. An image loaded via HTTP on a HTTPS page could be swapped out for a different image, which might be a problem if your neighbor's face shows up on the FBI's Most Wanted list. A JavaScript asset loaded via HTTP could be MITMed to send your credit card to an attacker's server. etc.

ceejayoz
  • 32,469
  • 7
  • 81
  • 105