Are you safe from Mixed Content attacks?
An HTTPS page that loads HTTP content leaves you vulnerable to Mixed Content attacks.
This demo is a fake bank site. It uses a secure HTTPS connection with the intent of keeping your information safe. Just like many real bank and ecommerce sites, this site also loads an insecure HTTP script. Insecure script can be hijacked to steal your identity and upload it to the web.
Are you safe?
Mixed Content is a real security threat
and many web developers
understand and articulate the threat well. There are 3 easy steps to attack the user through a mixed content vulnerability…
Set-up a Man-in-the-Middle attack.
These are most easily done on public networks such as those in coffee shops or airports.
Malicious code will run in an HTTPS website that the user browsers to. The key point is that the HTTPS site has a mixed content vulnerability on it, which means that it executes content downloaded over HTTP. This is where the Man-in-the-Middle attack and Mixed Content vulnerability combine into a dangerous scenario.
Steal the user’s identity
(or do other bad things).