.:SSLFail:.

I’ll start off the discussion here…

Firefox gives almost no warning for mixed-content pages. My lock has a little ‘!’ on it in the bottom corner of my screen. It provides more of a warning when a cert is self-signed than it does for a page that has mixed content.

That to me is a problem… but also a statement of the direction we’re going. This issue speaks to me in a couple of ways.

1) SSL is all about verification of identity, not encryption. Given that a fully encrypted site with a self signed cert gets a full warning, and a partially encrypted site with mixed content gets no warning, I think that’s a fair assumption to make.

2) Trust is fully and wholly placed in the owner of the site. If we trust the owner, then we can trust anyone associated with the site.

Both of these worry me a great deal. This is a gross injustice to the user, or maybe it’s what the user wants. This has actually given me an idea… more to come in the future.

Anyways, I like the discussion idea, so let’s have more discussion!

Firefox 3 does a horrible job of informing the user about Mixed Content. Firefox 2 had a far superior SSL user experience in every way.

1. Are these things serious? Certainly they could be, for two reasons. First, if the site actually is secure and the only non-secure things are stupid things that don’t matter, then we’re hurting the user trust/experience. Second, it could mean the important stuff isn’t even secure! O_o

2. What part of this session IS encrypted and what part ISN’T? Sadly, no one really can answer this in any practical way. We could examine the code and/or traffic and see what is being pulled down in SSL or not, but that chances of most people doing that are nil.

3. What is the most malicious thing you can think of injecting into a Mixed Content SSL Session?

I suppose I could inject goatse images! I could maybe even inject a twiddled form that submits to my server (over https because we gotta be secure!) rather than the real server. Not sure what alerts that may cause, but is interesting to think about. I could probably also inject javascript somewhere in there and do whatever I want, really.

@Tyler: Verification of identity…and god only knows how well the CAs are doing at even that part!

I love your observation there, and it’s a great point! A site is encrypted but with a non-EV SSL cert (or self-signed cert), and we get stopped cold. But partial encryption?

I wonder when the day will come where we don’t have unencrypted and encrypted traffic, but rather it is encrypted from the start? I suppose it can’t happen on the web, but maybe the thing that replaces the web in 20 years? Then again, maybe that is asking too much from the onset of some new technology/protocol…

Another item to add is that there is a good chance one of those unencrypted requests could be going to the same domain and thus carrying the sessionID across in the clear. If so, game over, your session is compromised.

re: firefox, you can turn on the mixed content warning. But it’s just a warning with an ok box. There’s no way to say you want to stop going forward.

-Michael

[...] Warnings == SSLFail! Posted by Tyler on June 25, 2009 SSLFail Jay posted on this previously and we had a brief discussion surrounding it in the comments, but I wanted to bring this up again [...]