On Sat, 13 Mar 2010 22:08:56 -0400, Brandon Kim said:
Some sites use images located at a different webserver that isn't HTTPS, and sometimes there are hidden iframes that bring you info from non-secure sites. But the actual login is posted to an HTTPS server.
Well... that's almost, but not quite, correct. The warning is because you may see a padlock displayed because the *outside* frames are https:// but there are iframes/CSS/images/whatever that have been fetched via other means - which creates 2 risks: 1) Those elements fetched via http:// traveled in the clear, and were thus visible to a sniffer. And yes, there's web designers stupid enough to do captcha graphics and bank records and similar via http://, causing an information leakage problem going from the site towards the user 2) Given the joys of javascript, etc, there are a number of security issues with mixed-mode pages. A discussion of some of them is here: http://code.google.com/p/support/issues/detail?id=3400 Note particularly the injection problem - if you're at a wifi hotspot or similar, somebody can replace the non-secure parts and suddenly control the horzontal and vertical on your page, while you still think it's secure. (Yes they can screw with totally non-secure pages too, but a lot of people implicitly trust https: more than http:)