My bank (Bank A) is presently merging with another bank (Bank B). I have no doubt that the IT staff of Bank A is working hard on some sort of transition project, since we have online access only to Bank A.
But IE8, set on default security, gives me the following message when I access the front page of Bank A. (Note: this is new. The message did not begin to appear until late last week.)
Security Warning
Do you want to view only the webpage content that was delivered securely?
This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.
I am then allowed to click either Yes or No, or else open Microsoft’s help (stop laughing) page.
Now, I work with a company that develops payment gateway software (and sometimes the entire shopping cart). And so, I have at least some familiarity with the difference between http and https. According my programmers, EVERY ITEM on a secure page must be securely called. A gif or jpg file, for example, must show in its property settings that they indeed originate from an https address.
I do answer “Yes”, and ostensibly receive only secure items on the page.
My question is whether it is the case that, were a person to answer “No”, that a hacker (apologies to those who don’t like the use of that term in this context) could compromise the security of the page? Even see my login name and password? Or is it much ado over nothing?
My WAG would be that it would depend on what kind of network you’re on. If you’re on a secure network, that a hacker can’t get into and see what you’re doing at your terminal, you’re safter than if you’re using some open wireless network that someone in a parked car outside could be watching all the keystrokes you use. But I’m not an IT professional… so take it with a grain of salt.
Ah yes, ye olde mixed content warning. Here’s the risk.
The page is being delivered to you by HTTPS. This means that it’s a) encrypted, and b) authenticated, in that your browser can verify that the site you are attempting to access is in fact the site that you are accessing. HTML pages can contain references to other files, and you are getting this warning because some of those references are to files that will not be delivered over HTTPS.
Because they’re being delivered “in the clear”, an attacker could conceivably mess with them. (This is neither easy nor likely, but it is possible.) What’s the risk? Well, if the insecure content is an <img>, not much. Perhaps an attacker could change one of the bank’s images to an image that reads “WARNING! Your account has been compromised! Please email your name and password to fixmyaccount@banka.hackerhaha.com.”
If the insecure content is in a <script> tag, on the other hand, you’re hosed. And the bank’s webmaster should be fired. Out of a cannon, into the sun.
I am not sure if I understand your complaint with that. He didn’t give you a real e-mail address. The board software just linked it because it followed the pattern of one and it would never go anywhere.
It’s the principle of it… if it’s NSFW, malicious or otherwise does not lead to a valid contribution, it should be broken. Not everyone’s as brilliant as we are, and may try to send something to it. I’m not saying its the most egregious error a person could make on this board, but nonetheless, I don’t think it should be done.