Closed
Bug 570208
Opened 14 years ago
Closed 14 years ago
TLS/SSL Mixed Content Error Due to Scripts, Video and Images Sent over HTTP
Categories
(Websites Graveyard :: drumbeat.org, defect)
Websites Graveyard
drumbeat.org
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: mcoates, Unassigned)
Details
(Whiteboard: [infrasec:tls][drumbeat-security])
Issue There is a pervasive issue throughout the site of content (JavaScript, video, images) served over HTTP on pages that are accessible via HTTPS. This results in a mixed content error message to the user. In addition to the error message, this situation undermines the security of the SSL connection since a man in the middle could modify this HTTP content and compromise the page of the user. Steps to reproduce: Steps to reproduce: 1. Ensure Firefox is configured to display mixed content errors (Preferences->Security->Settings->I'm about to view an encrypted page that contains some unencrypted information) 2. Browse to throughout the drumbeat site starting at https://www.drumbeat.org/ 3. Observe the mixed content warning messages on each page Recommended Remediation The technical solution to this issue is to modify all HTTPS pages so all content is delivered over HTTPS. This would involve ensuring all JavaScript, third party videos, and images are available via HTTPS. This may present a difficulty since the video is provided by vimeo.com and this site doesn't appear to support SSL for videos. A decision should be made on which pages need HTTPS access and which do not. For those that do (login pages and all authenticated pages) then it is important to ensure all content is delivered over HTTPS - especially JavaScript, flash, and style sheets.
|
Reporter | |
Comment 1•14 years ago
|
||
Any updates here?
|
||
Comment 2•14 years ago
|
||
Not yet unfortunately. We have limited resources for the Drupal version of this site and are focused on the rewrite. We're hoping to release the Django-based rewrite in early 2011. This specific issue will be addressed in the Django based version. I'll open another ticket for security review of that project before launch. Marking this WONTFIX in the meantime.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
|
||
Updated•12 years ago
|
Group: websites-security
|
Assignee | |
Updated•9 years ago
|
Product: Websites → Websites Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•