tags:

views:

124

answers:

4
+2  Q: 

Help with SSL Vulnerability (Mixed Content)?

Hey guys I have my own webserver that is hosting a website that I recently installed/setup a self-signed SSL cert. Securing the website seemed to go fine, but in firefox and IE I sometimes get pop up boxes that say something along the lines of "There is a mix of secure and insecure information on this page..." and in the firefox error console it says something about being possibly susceptible to an SSL vulnerability (CVE-2009).

  1. Is this truly a vulnerability I should be worrying about?
  2. Does anyone know what might be causing the problem/how I can fix whatever is causing the problem?
+2  A: 

Hi Joe,

the mixed context warning is caused by loading some content (images, scripts, css, iframes, ...) using http. The easiest way to find these is to open the source code view in the browser and search for "http://".

This is truly an security issue: If an attacker can manipulate a script or css file, he can modify any part of your page (for example change the target of a login form). And even images are an issue because they can display instructions misleading the user.

I guess that you are referring to CVE-2009-3555: This is not related to the mixed content warning. And you can ignore it for now, assuming your webserver is using the newest security updates:

Unfortunately, when using the present, flawed SSL/TLS protocol version, it is not possible to determine whether a site is protected or vulnerable.

https://wiki.mozilla.org/Security:Renegotiation

nhnb  2010-07-19 04:48:41
+1. Mixed content is also an issue when the site doesn't use secure cookies and tries to connect to the same machine over plain HTTP for example. I've seen this a few times for HTTPS sites that leave the company logo/css on the non-SSL site.Essentially, mixed-content is a bug (or bad-design) from the website developer, whereas CVE-2009-3555 is about a protocol flaw, fixed with a new extension (not implemented everywhere yet).
Bruno  2010-07-19 11:37:23
Thanks for the responses guys, I'm not sure why Firefox's error console was mentioning CVE-2009-3555 (it no longer mentions it) but I figured out what was causing the mixed content warning. Of all things it was my link to the Jquery library via google. Since that link was http:// rather than https:// it was causing the mixed content warning.
Joe  2010-07-19 22:28:07
+1  A: 

Another good way to isolate HTTP vs. HTTPS requests is via fiddler - you should see right away which files, if any, are requested of your site without SSL.

The requests should have the HTTP REFERER header set, which can help find out why those resources are requested over HTTP instead of HTTPS.

One obscure issue will occur if your web site uses IFRAMEs, where the content is set at run-time. Having no content in the IFRAME (an empty source tag) will cause IE to think that it's not a resource protected by HTTPS, so you'll get the warning even though no content actually got transmitted over HTTP.

mwalker  2010-07-19 07:38:02
+1  A: 

It can be a security problem. See http://www.sslshopper.com/article-stop-the-page-contains-secure-and-nonsecure-items-warning.html for information on how to fix it.

Robert  2010-07-20 01:17:26
+2  A: 

Basically you're serving up HTTP content somewhere on the page, be it an image, a CSS file or something else. One of the nicest ways to fix this is to use protocol relative URLs; they have the form of 

"//example.com/image.gif"

for example

<img src="//example.com/image.gif" />

This has the effect of loading the resources using the protocol the hosting page has, http if it's http, https if it's https.

Fiddler is great for tracking these things down as the protocol for resources is clearly shown in the UI;

alt text

blowdart  2010-07-20 01:24:01

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security