How secure is a partially insecure Web page?

Forums › Desktop computing › How secure is a partially insecure Web page?

kiwigander

231 posts

Master Geek
+1 received by user: 43

#225698 30-Nov-2017 22:04

Hi all,

Firstly, apologies if I haven't described the issue here well or if it belongs in another forum.

For the past few years I've been engaged in a minor conflict with my professional college over their Web site: specifically, its apparent insecurity.

The organisation expects its members to pay subscriptions and certain other fees online and has an https page for that. When I go to make a payment, though, Firefox (for example; I use Chrome as well) advises me that the page is insecure (broken padlock with a warning triangle).

After much toing and froing with various administrative people I've got the following explanation from a senior IT person:

"Thank you for your email regarding the security of our website. I can assure you that our registration functions are using ssl technology. For our payment processing we also use payflowpro, the corporate side of paypal which has its own security and verifications.

"The reason you are seeing a message about the ssl on some of our pages is because there are some jquery scripts which are serving up pictures on our website, which are only using http, instead of https."

Now I have no reason to distrust the chap who sent me that explanation, but it still makes me uneasy about, for example, putting my credit card details onto such a Web page. I therefore tend to play it safe and insist on faxing payment details to a trusted recipient (or paying by direct deposit).

My question is, am I being unreasonable? Or is it just good practice to regard any Web page that throws up a Firefox alert as insecure and not to put credit card details and other confidential information up on it?

TIA for all advice.

(edited because my attempt at html didn't work so well)

1 | 2

20515 posts

Uber Geek
+1 received by user: 4795

#1911352 30-Nov-2017 22:08

IMO their explanation could be correct. But as you say, it doesn't look good, as the lock broken. Those scripts and images if they are loading from external sources should still be https. When I have had this problem with my own sites, I have always fixed it.

I had a similar problem where I reported a similar problem with https on their website, where I kept getting popup security warnings. They got their web designer to contact me, who denied the problems, was quite unprofessional, and started pointing out problems with my website etc, which they were wrong about anyway. I escalated it to management, as I wasn't happy to be treated that way, as I was only reporting a problem to them. They ended up identifying the problem with their website and fixing it. But it wasn't worth the hassle of reporting it.

One thing though is that Firefox and chrome are now displaying this 'connection is not secure' warnings in the address bar (if you click on the icon where the lock normally appears) of website that don't use https, as there is a major push for all websites to use https.

Geektastic

18009 posts

Uber Geek
+1 received by user: 8465

Trusted

Lifetime subscriber

#1911353 30-Nov-2017 22:10

I was so tempted to answer with "Partially secure"..!

mdav056

616 posts

Ultimate Geek
+1 received by user: 160

Subscriber

#1911355 30-Nov-2017 22:15

No answers, sorry, but I'm interested -- because recently Malwarebytes Premium said "DONT GO THERE" to me on attempting to access the Seniors page of Min Social Development... Sounds like it might be the same thing happening.

Told MSD, and they responded by sending me a link on How to Stay Safe Online. Which is kind of odd, when you think about it.

gml

KiwiSurfer

1722 posts

Uber Geek
+1 received by user: 993

ID Verified

Lifetime subscriber

#1911356 30-Nov-2017 22:24

Did you ask why they can't serve their jquery scripts (or actually everything) over HTTPS? This is what typically happens in a professional outfit.

kickintheeye

112 posts

Master Geek
+1 received by user: 52

#1911357 30-Nov-2017 22:34

If the website is loading images from an insecure source that will break the lock. They should fix their code in order to fix the issue instead of giving excuses.

kiwigander

231 posts

Master Geek
+1 received by user: 43

#1911359 30-Nov-2017 22:41

KiwiSurfer:

Did you ask why they can't serve their jquery scripts (or actually everything) over HTTPS? This is what typically happens in a professional outfit.

I asked. I got this in reply:

I’ll ask my team if we can try and serve this up as https content. It’s a reference to an external code library which our main templates use, so I am not 100% sure its possible.

Presumably it has been either not possible or not doable within budgetary/manpower/etc constraints.

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

gehenna

8667 posts

Uber Geek
+1 received by user: 3883

Moderator

Trusted

Lifetime subscriber

#1911360 30-Nov-2017 22:44

If all components of the site aren't secure, then the site is not secure. Two is one, one is none and all that jazz.

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#1911364 30-Nov-2017 23:02

Chrome Dev tools (f12) has its own security tab now BTW. So you can load it and see what resources it doesn't like

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 841

Trusted

Lifetime subscriber

#1911861 2-Dec-2017 00:56

kiwigander: ... My question is, am I being unreasonable? Or is it just good practice to regard any Web page that throws up a Firefox alert as insecure

Your concerns are valid. Plain & simple.

Longer answer: To answer the question in the subject of this thread. If only images were loaded via HTTP on this site, then it would be more secure than a site that loads script & libraries via HTTP. Your IT guy has given you the correct & truthful info, but unfortunately seems unwilling to act on this. His set of users is small / manageable / well known with only one person raising concerns (complaining).
A benefit of HTTPS is that the content is from a 'validated' source. It is very easy to perform a 'man in the middle (MITM)' attack on HTTP traffic. Because HTTP traffic is not encrypted, anybody sniffing the packets can read your data stream and also insert their own traffic. The most jovial version of this is flipping images in your browser window upside down. Serving HTTP content in a HTTPS page is introducing a weak link in your security chain. Even if payflowpro or Paypal use SSL, that doesn't help if the website itself is tracking your usage & logging your keystrokes / mouse movements. This insecure content could capture everything you type on the website.

Actionable items for you (and the senior IT person)

These days, maintainers of public libraries know of the value to serve their content via HTTPS. If it is the jquery script itself that is external and loaded via HTTP, you should be able to update the HTML to load via HTTPS instead of HTTP.
If it is the actual images that are served via HTTP, why is the jquery script doing that? Maybe there is an updated version of the script that tries HTTPS first? Where do the images come from? Whhy can't the images be hosted on an HTTPS enabled site? Or better yet, bring them inhouse and host them on your own HTTPS enabled site.
As stated above, you can use the developer tools in Chrome, Firefox & IE/Edge to view what was loaded via HTTP. Copy that URL, paste it into your browsers address bar, modify the HTTP to HTTPS and see if the resource loads?
As an alternative, do a bit of collective action. Get everybody to use the fax option forthree to six months to submit their payments. Have them cite concerns about privacy & security when asked why. The payments processing team will groan and complain to IT to fix it. This will have the additional benefit that it's not you complaining. - This point is listed to show that some technical problems have a non-technical solution. Be creative.
Speak to other senior staff about your concerns and have them speak to IT to spend the money and keep everybody secure & safe.

Let us know if you have success with any of the approaches mentioned here (or if you crash & burn). PM me if you want a more in depth conversation.

Good luck.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

kiwigander

231 posts

Master Geek
+1 received by user: 43

#1912455 3-Dec-2017 23:12

Thank you IcI for the detailed explanation.

I've made a preliminary stab with the Firefox developer tools and found one resource with an http:// address. I copied that address into another browser window and observed what loaded; then I replaced the http:// with https:// and what loaded looked at a glance to be the same.

Will try this again when I'm genuinely awake.

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#1912468 4-Dec-2017 07:24

Post the link if you want someone else to have a look.

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 841

Trusted

Lifetime subscriber

#1922384 20-Dec-2017 10:16

@kiwigander:
Thank you IcI for the detailed explanation.
...
Will try this again when I'm genuinely awake.

Any progress in getting the site secured?

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

dt

1152 posts

Uber Geek
+1 received by user: 371
Inactive user

#1922406 20-Dec-2017 10:48

can you PM me the link to the insecure address? I can let you know how much of a concern it is.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1922412 20-Dec-2017 11:20

I was going to post but @lcl did a great job.

Another thing to consider is cookies. They may use cookies to store authentication or session information. A browser will always send cookies to the server when a resource (images, scripts, css files, etc) is requested.

If the cookies are marked as Secure then only HTTPS requests will send the values stored in cookies. This reduces the risk of cookies/session hijacking. If these aren't marked as Secure (and if they are not marked as HTTPOnly) then a HTTP script could easily read these values during requests. Seeing these scripts are externals then you would have there a small chance of a data leak that could compromise session, user or any other information the site developer by chance stored on those cookies.

Another thing is that sites should all consider CSP (Content Security Policy) when implementing secure pages.

Lots of things to consider.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

kiwigander

231 posts

Master Geek
+1 received by user: 43

#1922837 20-Dec-2017 23:37

Sorry for the delay in following this up (distractions, distractions).

I've checked the website again and got the same results as before. When I reach a page that greys out the security padlock and throws up the yellow warning triangle, Developer Tools finds only one reference to http://. I copy that into a new tab's address bar and it downloads a .dtd text file, which I rename firstfile.dtd. I then substitute https:// for the http:// and another .dtd file gets downloaded, which I rename secondfile.dtd. According to the diff -s firstfile.dtd secondfile.dtd command the two files are identical.

I've now gone back to the IT admin person and asked again whether the problem can be remedied.

If necessary I can chat with some higher-ups in the organisation.

I would not fancy my chances of organising a campaign of faxing or other work-arounds.

I suspect that giving out the web address of the organisation would land me in serious hot water, hence I must respecfully decline some respondents' offers to help investigate the site.

Thanks for all advice given, and I shall report back.

1 | 2