

Automatically avoiding mixed-content warnings when using SSL - robmil
http://digital.bigfish.co.uk/2012/04/avoiding-mixed-content-with-ssl/

======
subleq
This is rather misleading. It 'fixes' the warning, but still leaves open the
security vulnerability you were warned about. You are left vulnerable to
someone intercepting your [server's] connection to `example.com` and inserting
something nasty.

~~~
robmil
While that's true, is there any scope for attack through images?

It's a generally interesting point though, that feeds into questions of what
the general purpose of SSL is. This still has benefits for the end user — the
café owner/hotel company/etc. can't modify their connection — and so surely is
better than nothing, but is it enough?

~~~
pasbesoin
IIRC, several years ago, maliciously crafted JPG images introduced
vulnerabilities, particularly with respect to broken/vulnerable Microsoft
parsing functionality.

IMO, if you haven't vetted it, don't pawn it off as secure.

I realize their are practical limitations, but simply turning oneself into a
blind indirection does not meet a particularly high standard, again IMO.

And the other commentor has a point about MITM, even if you decide you trust
the image source.

