TLS/SSL Mixed Content Error Due to Scripts, Video and Images Sent over HTTP

RESOLVED WONTFIX

Status

--
major
RESOLVED WONTFIX
8 years ago
4 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

Details

(Whiteboard: [infrasec:tls][drumbeat-security])

Issue

There is a pervasive issue throughout the site of content (JavaScript, video, images) served over HTTP on pages that are accessible via HTTPS. This results in a mixed content error message to the user. In addition to the error message, this situation undermines the security of the SSL connection since a man in the middle could modify this HTTP content and compromise the page of the user.

Steps to reproduce:
Steps to reproduce:
1. Ensure Firefox is configured to display mixed content errors
(Preferences->Security->Settings->I'm about to view an encrypted page that
contains some unencrypted information)
2. Browse to throughout the drumbeat site starting at https://www.drumbeat.org/
3. Observe the mixed content warning messages on each page


Recommended Remediation

The technical solution to this issue is to modify all HTTPS pages so all content is delivered over HTTPS. This would involve ensuring all JavaScript, third party videos, and images are available via HTTPS.  This may present a difficulty since the video is provided by vimeo.com and this site doesn't appear to support SSL for videos.

A decision should be made on which pages need HTTPS access and which do not. For those that do (login pages and all authenticated pages) then it is important to ensure all content is delivered over HTTPS - especially JavaScript, flash, and style sheets.
Any updates here?
Not yet unfortunately. We have limited resources for the Drupal version of this site and are focused on the rewrite. We're hoping to release the Django-based rewrite in early 2011. This specific issue will be addressed in the Django based version. I'll open another ticket for security review of that project before launch. Marking this WONTFIX in the meantime.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WONTFIX
Group: websites-security
(Assignee)

Updated

4 years ago
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.