What are the dangers in exposing static resources of your secure web application unsecured?

Question

We are creating typical web applications secured by https. In order to be able to cache static resources, I would like to expose images, javascript files etc. over http. Otherwise they don’t get cahched. Is this advisable from security point of view? What are the risks involved?

EDIT: I would like to have static content cached by proxies and by browsers. Actually, the most important issue here is having this content cached by reverse proxy, so I don't have to distribute static content manually to http server (reverse proxy).

Answer 1

Its easier to snoop data over http than https. So in that aspect you should consider transmitting over http only the things that do not contain sensitive info.

Another way of thinking it: will someone benefit from snooping this image of the logo of my corporation? probably not.

However lets say you have (for whatever reason) an image with the bank account details of a customer. Should you transmit it over http? probably not.

EDIT: plus when you mix http & https requests in some browsers your customers will get nasty popup messages informing them that some content is unencrypted

Answer 2

According to the following questions, caching of HTTPS content is possible.

http://stackoverflow.com/questions/174348/will-web-browsers-cache-content-over-https

Answer 3

Use https, but http for JavaScript. How would that not be a bad idea??

As well as confidentiality, https protects the integrity of traffic. It turns out that almost anywhere you can eves drop a network connection, you can escalate that flaw into malicious corruption.

From a usability point of view, (good) browsers will flag any https page containing http components as insecure.

Answer 4

I would like to expose images,javascript files etc. over http. Otherwise they don’t get cahched. Is this advisable from security point of view? What are the risks involved?

If you mix http and https content on a page, the page is inherently unsecure. Say your page has is delivered over https, and has a form that POSTs data to your webserver. Now because your JS is sent over http, a man-in-the-middle could replace its contents and add a line to change the action parameter of your form. This way, he'd be able to post data to his server rather than yours.

To prevent such a possibility, browsers pop-up the mixed content warning. Its bad for usability, but from a security perspective they are absolutely right.

If you are concerned about security, don't mix http and https. If caching is your concern - its possible to cache https responses. Browsers do it if you have the right headers. I am guessing intermediate proxies would also do the same. Perhaps you can list the proxies you are using and someone can comment on its caching strategy.