?

Log in

HTTPS fail - 'Twas brillig, and the slithy toves did gyre and gimble in the wabe [entries|archive|friends|userinfo]
Thomas

[ website | Beware the Jabberwock... ]
[ deviantArt | the-boggyb ]
[ FanFiction | Torkell ]
[ Tumblr | torkellr ]

Links
[Random links| BBC news | Vulture Central | Slashdot | Dangerous Prototypes | LWN | Raspberry Pi]
[Fellow blogs| a Half Empty Glass | the Broken Cube | The Music Jungle | Please remove your feet | A letter from home]
[Other haunts| Un4seen Developments | Jazz 2 Online | EmuTalk.net | Feng's shui]

HTTPS fail [Tuesday 10th June 2014 at 9:17 pm]
Thomas

boggyb
[Feeling |disappointeddisappointed]

Is HTTPS really so hard to achieve? Or is it just that, because Firefox and Chrome are less strict than Internet Explorer as to what counts as secure and what doesn't (Firefox until recently didn't even warn about non-HTTPS parts of HTTPS pages, let alone block them), no-one actually bothers to do HTTPS properly?

It's not as if it's a hard concept to understand. If your secure website loads any content from an insecure URL, then it's not your website anymore. And yes, this even applies to images - an attacker could replace a "Click here to submit" image with, I don't know, a "For security reasons enter http://evil.example.com/ in your address bar" image or something.

This mini-rant brought to you by being about to place an order online and wondering why there's no padlock symbol despite the site using a https: URL.
Link | Previous Entry | Share | Next Entry[ Penny for your thoughts? ]