Mixed Content

Are you safe from Mixed Content attacks?

An HTTPS page that loads HTTP content leaves you vulnerable to Mixed Content attacks.

This demo is a fake bank site. It uses a secure HTTPS connection with the intent of keeping your information safe. Just like many real bank and ecommerce sites, this site also loads an insecure HTTP script. Insecure script can be hijacked to steal your identity and upload it to the web.
Are you safe?
Try out the demo!
Mixed Content is a real security threat

Security researchers and many web developers understand and articulate the threat well. There are 3 easy steps to attack the user through a mixed content vulnerability…

Set-up a Man-in-the-Middle attack. These are most easily done on public networks such as those in coffee shops or airports.

Diagram from IBM Security Research

Use a mixed content vulnerability to inject a malicious javascript file. Malicious code will run in an HTTPS website that the user browsers to. The key point is that the HTTPS site has a mixed content vulnerability on it, which means that it executes content downloaded over HTTP. This is where the Man-in-the-Middle attack and Mixed Content vulnerability combine into a dangerous scenario.

“If some attacker is able to either tamper with Javascript or stylesheet files he can effectively also tamper with the other content on your page (e.g. by modifying the DOM ). So it’s either all or nothing. Either all of your elements are served using SSL, then you are secure. Or you load some Javascript or stylesheet files from a plain HTTP connection, then you aren’t secure anymore.”- me

Steal the user’s identity (or do other bad things).