

Comodo not really getting the concept of HTTPS - andygambles
http://servertastic.tumblr.com/post/49923726926/comodo-not-really-getting-the-concept-of-https

======
davidddavidson
Related: [http://www.troyhunt.com/2013/05/why-i-am-worlds-greatest-
lov...](http://www.troyhunt.com/2013/05/why-i-am-worlds-greatest-lover-
and.html) (hn discussion: <http://news.ycombinator.com/item?id=5661806>)

Looks like Troy picked up the Comodo story and demonstrates a MiTM attack
here: [http://www.troyhunt.com/2013/05/heres-why-you-cant-trust-
ssl...](http://www.troyhunt.com/2013/05/heres-why-you-cant-trust-ssl-logos-
on.html)

------
andygambles
So while loading the seal over standard http is not a security issue in itself
there is the problem of mixed content when loaded over https.

This could leave the site open to a MiTM style attack since security fatigue
means the user just loads insecure content. The http request could then
potentially be redirected to load an alternative content.

~~~
kdecherf
Note: Firefox 23 (currently active in Nightly) will block insecure content by
default

~~~
andygambles
images are classed as passive content by Firefox 23 so by default they will
load just the padlock will not show. More info:
[https://blog.servertastic.com/firefox-23-to-block-mixed-
cont...](https://blog.servertastic.com/firefox-23-to-block-mixed-content/)

~~~
kdecherf
Hm, good to know

------
firloop
Even though the embed code has HTTP for the image url, it's still possible to
load the images over SSL.

[https://www.positivessl.com/images-
new/PossitiveSSL_tl_trans...](https://www.positivessl.com/images-
new/PossitiveSSL_tl_trans.gif)

~~~
andygambles
Which makes it even more stupid that they haven't put this as the source code.

