tags:

views:

72

answers:

3
+1  Q: 

Browser mixed content warning - what's the point?

I employ the Google maps API on my otherwise SSL-secured site. I invariably therefore get one of these terrible "mixed content" warnings pop up from my web app. This is annoying. I understand that this issue can be fixed when upon moving the app into production I sign up to a premier account with Google. Hurrah. I am just perplexed: the threat from Google to the integrity of my site remains the same whether I pull down their content over HTTP or HTTPS. What's the point, in other words, of browsers putting up this warning?

Thanks.

A: 

The reason this message exists is that any HTTPS connection is served via SSL, so the browser knows that the data coming in on it is indeed the exact data sent from the server.

This is not the case for any components that have been deliverd via HTTP - these can change components that have been delivered via SSL, so the guarantee that the HTTPS data is correct cannot be maintained.

That's why the warning comes up.

Oded  2010-09-23 13:41:55
+1  A: 

the threat from Google to the integrity of my site remains the same whether I pull down their content over HTTP or HTTPS

I think you're using the wrong threat model here. The threat is not that google might act maliciously and send the wrong data to your users. Indeed, SSL would not protect against that.

The actual threat is that a man in the middle (between your users and google) could eavesdrop on the unprotected data to determine what your users are up to, or even modify the unprotected content in order to trick them.

It's the duty of the browser to somehow inform the user that such attacks are possible. Otherwise the user will incorrectly think that everything is secure because he entered an "https" address.

Wim Coenen  2010-09-23 13:53:03
I am not sure that I use the wrong "thread model", as you write. It is just apparent from your answer, that _you_ trust Google more than any middle-man. I'd argue that any application mashing up 3rd party widgets is way more vulnerable to that 3rd party than any middle-man.
Ollie2893  2010-09-23 14:52:03
@Ollie2893: You already chose to trust google when you decided to use their maps API. To claim that you don't trust them is absurd; why would you intentionally leave your web application open to an attacker?
Wim Coenen  2010-09-23 15:25:45
Short of writing my own maps API (which is a waste of time; I am not in the map-making business), I must use an outside provider. I would not read into my use of Google's API that I trust them. Google has a corporate culture that is, at best, ambivalent about privacy. And just think what a wonderful Trojan the Maps API is. Unfortunately, I cannot think of a way of sandboxing that thing.
Ollie2893  2010-09-24 12:42:22
+2  A: 

The threat from Google may remain the same, but when you're loading the Google content over http, it's not just threats from Google you need to worry about; you also need to worry about man-in-the-middle attacks, in which someone pretends to be Google and injects malicious content into your page. With the number of people who use untrusted or insecure wireless networks, it's not too hard to launch a man in the middle attack these days.

Also, https is supposed to protect information going in both directions. If there is content on the page not protected via https, but the user sees the https in the address and lock icon, they may believe that information they enter is secure from eavesdroppers, when in fact some of the information is transmitted in the clear.

Brian Campbell  2010-09-23 13:53:39
"The threat from Google may remain the same" - this is key. If I switched to HTTPS for the mash-up, then the browser will be quiet but user information may still leak to Google. In other words, in suppressing the browser warning, HTTPS creates a false sense of security.
Ollie2893  2010-09-23 15:16:14
@Ollie2893 HTTPS certainly does not solve all security problems; there are all kinds of threats you are still vulnerable even if using HTTPS (cross-site scripting, malicious or incompetent servers that you are talking to, phishing attacks, etc). The reason for the warning is that even the guarantees that HTTPS is supposed to provide, that is, that your data will be encrypted going to the server and that content coming from the server is authentic, are no longer true once you have mixed HTTP and HTTPS content.
Brian Campbell  2010-09-23 15:37:39

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.