0

Scenario goes like this: Main parts of web site is on one server. All traffic goes over https. I have no control ovet this server.

Themes use css files and images from another server. Also over https. I have full control over this server.

How vulnerable is the main site (how and why) if css files and images would go over http? I am asking only about css and images.

I don't know how relevant is, but server is Apache and language is PHP.

---------------- edit ------------
So far, there is 'a man in the middle' attack who can change css and thus hide my content, introduce new images and add more text.
But can not create live links, or add js...

Here is a good discussion about this topic started by symcbean.

Improve this question
6
  • Vulnerable against what? Commented Nov 4, 2015 at 11:18
  • Also people will get errors when doing that because of unsafe resources Commented Nov 4, 2015 at 11:21
  • I think this question fits better at security.stackexchange.com Commented Nov 4, 2015 at 11:21
  • @PeeHaa: Good question but I have no clear answer. Simply because I don't know what security holes it can create (if any). Commented Nov 4, 2015 at 11:22
  • 2
    There's already a discussion on the topis at security.stackexchange: security.stackexchange.com/questions/37832/css-based-attacks Commented Nov 4, 2015 at 12:20

2 Answers 2

Reset to default
3

Any unencrypted HTTP connection can potentially be intercepted and modified by men-in-the-middle. That means, any resource you're retrieving via an HTTP connection is untrustworthy; it cannot be confirmed whether it's the original resource as intended. That means an attacker may be able to include resources in your page which you did not intend to include.

In the case of CSS files content can be altered on your site (display: none, content: "Please go to example.com and enter your password"), in the case of images exploits may be introduced (through buggy image decoding client-side), in the case of Javascript entirely arbitrary behaviour may be injected (e.g. sending all key-strokes to a 3rd party server).

Improve this answer
Sign up to request clarification or add additional context in comments.

11 Comments

changing src of css in the browser doesn't become vulnerable really.
No but the content is... @BhojendraNepal
You can or cannot accept all you want, but this answer is perfectly correct on every point
@Bhojendra You do not seem to realise how powerful CSS can be for altering content, and what security implementations this may curtail.
@CoR Examples always depend on specifics. It should be enough that it's theoretically possible to do something you do not intend to be done on your site. Someone somewhere someday will develop this theoretical security hole into a practical exploit. You simply do not dismiss obvious entry points as harmless because you can't think of a concrete exploit right now.
|
0

A third party may modify those CSS or images to convey different things, either by tampering that data on the fly, or by spoofing the target. The browser would not know if is getting those from a reliable source, and probably would complain about mixed content issues. CSS3 has many features that may bring pictures from another domain or include unintended content.

Improve this answer

1 Comment

"include unintended content." can you name some for an example and clarity.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.