

Google Securing The Web One Discrete Monopolizing Push At A Time - kloncks
http://eric.lubow.org/2011/security/google-securing-the-web-one-discrete-monopolizing-push-at-a-time/

======
paganel
The fun thing is when you have a secure website and for some reason you have
to link to a .png or JS hosted on a different, non-secure domain. Last I
checked IE was displaying to the user a very ugly security alert message.

~~~
justinschuh
What you're describing is known as a mixed-content vulnerability, which allows
an appropriately positioned third-party to replace the content with whatever
they chose. In the case of something like an included JavaScript file, you're
negating most of the security provided by SSL.

See: [http://googleonlinesecurity.blogspot.com/2011/06/trying-
to-e...](http://googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-
scripting.html)

~~~
elubow
Right. I think the goal of all this is to have everyone be on SSL so there
aren't any mixed-content vulnerabilities. Hardware has come far enough where
SSL is no longer overly taxing to encrypt-decrypt streams between the user and
the site. So SSL-enabling a site isn't problematic (and in my opinion should
be encouraged). (Full disclosure: I wrote that article).

