Hi I have questions about security I am using mozila to access gmail as https://mail.google.com/mail Why mozilla prompts me the alert box? "You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party." 1/ Can network software help to check? if yes. which software and how? 2/ How mozilla knows I have data not encrypted? 3/ ls https secured? If not. why it is PCI? Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com
adrian kok wrote:
Hi
I have questions about security
I am using mozila to access gmail as https://mail.google.com/mail
Why mozilla prompts me the alert box?
"You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party."
1/ Can network software help to check? if yes. which software and how?
2/ How mozilla knows I have data not encrypted?
3/ ls https secured? If not. why it is PCI?
Thank you
Send instant messages to your online friends http://uk.messenger.yahoo.com
This message is saying that Google is including things using http:// in the site. This is common with Images. The login is still secure, just they just are not using SSL for some things. [ ~ ] >> lynx --dump mail.google.com/mail|grep http\:\/\/ http://gmail.com/app. [1]Learn more 1. http://www.google.com/mobile/landing/mail.html#utm_source=gmailhpp 2. http://mail.google.com/support/bin/answer.py?answer=46346&fpUrl=https%3A%2F%2Fwww.google.com%2Faccounts%2FForgotPasswd%3FfpOnly%3D1%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fmail%252F%253Fui%253Dhtml%2526zy%253Dl%26service%3Dmail%26ltmpl%3Ddefault&fuUrl=https%3A%2F%2Fwww.google.com%2Faccounts%2FForgotPasswd%3FfuOnly%3D1%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fmail%252F%253Fui%253Dhtml%2526zy%253Dl%26service%3Dmail%26ltmpl%3Ddefault&hl=en 3. http://mail.google.com/mail/signup 4. http://mail.google.com/mail/help/intl/en/about.html 5. http://mail.google.com/mail/help/intl/en/about_whatsnew.html 6. http://www.google.com/apps/intl/en/business/gmail.html#utm_medium=et&utm_source=gmail-signin-en&utm_campaign=crossnav 7. http://gmailblog.blogspot.com/?utm_source=en-gmftr&utm_medium=et&utm_content=gmftr 8. http://mail.google.com/mail/help/intl/en/terms.html 9. http://mail.google.com/support/
Yup, what Larry said.....I wouldn't be too concerned about it. But some managers may make a big deal... Some sites use images located at a different webserver that isn't HTTPS, and sometimes there are hidden iframes that bring you info from non-secure sites. But the actual login is posted to an HTTPS server. Hope that helps. Brandon Follow me: twitter.com/brandontek
Date: Sat, 13 Mar 2010 20:14:26 -0600 From: larry-lists@maxqe.com To: adriankok2000@yahoo.com.hk Subject: Re: security questions CC: nanog@nanog.org
adrian kok wrote:
Hi
I have questions about security
I am using mozila to access gmail as https://mail.google.com/mail
Why mozilla prompts me the alert box?
"You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party."
1/ Can network software help to check? if yes. which software and how?
2/ How mozilla knows I have data not encrypted?
3/ ls https secured? If not. why it is PCI?
Thank you
Send instant messages to your online friends http://uk.messenger.yahoo.com
This message is saying that Google is including things using http:// in the site. This is common with Images. The login is still secure, just they just are not using SSL for some things.
[ ~ ] >> lynx --dump mail.google.com/mail|grep http\:\/\/ http://gmail.com/app. [1]Learn more 1. http://www.google.com/mobile/landing/mail.html#utm_source=gmailhpp 2. http://mail.google.com/support/bin/answer.py?answer=46346&fpUrl=https%3A%2F%2Fwww.google.com%2Faccounts%2FForgotPasswd%3FfpOnly%3D1%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fmail%252F%253Fui%253Dhtml%2526zy%253Dl%26service%3Dmail%26ltmpl%3Ddefault&fuUrl=https%3A%2F%2Fwww.google.com%2Faccounts%2FForgotPasswd%3FfuOnly%3D1%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fmail%252F%253Fui%253Dhtml%2526zy%253Dl%26service%3Dmail%26ltmpl%3Ddefault&hl=en 3. http://mail.google.com/mail/signup 4. http://mail.google.com/mail/help/intl/en/about.html 5. http://mail.google.com/mail/help/intl/en/about_whatsnew.html 6. http://www.google.com/apps/intl/en/business/gmail.html#utm_medium=et&utm_source=gmail-signin-en&utm_campaign=crossnav 7. http://gmailblog.blogspot.com/?utm_source=en-gmftr&utm_medium=et&utm_content=gmftr 8. http://mail.google.com/mail/help/intl/en/terms.html 9. http://mail.google.com/support/
On Sat, 13 Mar 2010 22:08:56 -0400, Brandon Kim said:
Some sites use images located at a different webserver that isn't HTTPS, and sometimes there are hidden iframes that bring you info from non-secure sites. But the actual login is posted to an HTTPS server.
Well... that's almost, but not quite, correct. The warning is because you may see a padlock displayed because the *outside* frames are https:// but there are iframes/CSS/images/whatever that have been fetched via other means - which creates 2 risks: 1) Those elements fetched via http:// traveled in the clear, and were thus visible to a sniffer. And yes, there's web designers stupid enough to do captcha graphics and bank records and similar via http://, causing an information leakage problem going from the site towards the user 2) Given the joys of javascript, etc, there are a number of security issues with mixed-mode pages. A discussion of some of them is here: http://code.google.com/p/support/issues/detail?id=3400 Note particularly the injection problem - if you're at a wifi hotspot or similar, somebody can replace the non-secure parts and suddenly control the horzontal and vertical on your page, while you still think it's secure. (Yes they can screw with totally non-secure pages too, but a lot of people implicitly trust https: more than http:)
participants (4)
-
adrian kok
-
Brandon Kim
-
Larry Brower
-
Valdis.Kletnieks@vt.edu