HTTPS fail
Jun. 10th, 2014 09:17 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
torkellIs HTTPS really so hard to achieve? Or is it just that, because Firefox and Chrome are less strict than Internet Explorer as to what counts as secure and what doesn't (Firefox until recently didn't even warn about non-HTTPS parts of HTTPS pages, let alone block them), no-one actually bothers to do HTTPS properly?
It's not as if it's a hard concept to understand. If your secure website loads any content from an insecure URL, then it's not your website anymore. And yes, this even applies to images - an attacker could replace a "Click here to submit" image with, I don't know, a "For security reasons enter http://evil.example.com/ in your address bar" image or something.
This mini-rant brought to you by being about to place an order online and wondering why there's no padlock symbol despite the site using a https: URL.
It's not as if it's a hard concept to understand. If your secure website loads any content from an insecure URL, then it's not your website anymore. And yes, this even applies to images - an attacker could replace a "Click here to submit" image with, I don't know, a "For security reasons enter http://evil.example.com/ in your address bar" image or something.
This mini-rant brought to you by being about to place an order online and wondering why there's no padlock symbol despite the site using a https: URL.
