0

Possible Duplicate:
When a page delivers secure and non-secure items over https, are the secure items compromised?

If you load jquery from the google ajax site like this:

<script type="text/javascript" src="http//ajax.googleapis.com/ajax/libs/jquery/1.x.x/jquery.min.js"></script>

on an https page, in some browsers it will show that the page is not secure.

I have since fixed it to load like this:

<script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js"></script>

And it works fine.

My question is, could the site have been compromised by a hacker because of this improper loading of a non-https script?

Community
  • 1
  • 1
Totomobile
  • 663
  • 2
  • 8
  • 19

1 Answers1

0

What do you mean by hacking? If you think hacking is accessing your server, modifying pages, accessing private data, etc. no! Just because you server some content over HTTP, it doesn't make a big security hole to your server for hackers.

If you mean someone in middle of way, like in ISPs, or in a hacked network, could sniff traffic, yes! When you serve content in HTTP it's in plain text. Everyone could see content in HTTP via a simple software sniffer. But if you serve data via HTTPS, no one can decode the data except server (web server) and client (via browser).

So you decide what it is.

Vahid Farahmand
  • 2,528
  • 2
  • 14
  • 20
  • 1
    Also, if you serve some content in HTTP, hacker could inject some script or packet in networks it controls. Like assume an ISP decides to hack customers, they can inject an exploit kit via a javascript to all HTTP traffic, but if it was https, no one could alter/change anything on it in mid-air. (There is some way for SSL sniffing but always browser will trigger an exception for non-trusted certificate, so forget it) – Vahid Farahmand Jan 06 '13 at 04:35
  • Thanks for your answer! To be a little more specific, when you load an https page in a browser, but there is an element (jquery in this case) that is being loaded from an http source, the browser will complain that there is mixed source content. Now lets say we are sending some form data, does that mean that even though there is an SSL certificate on the page, that the form data (or the entire http packet) will be unencrypted? Or does loading this non-secure script (jquery) only allow a hacker to hijack that particular script? Basically, can the browser continue to function in secure mode? – Totomobile Jan 06 '13 at 08:56
  • @Totomobile Security in JS is quite tricky! (It's not helped by the large amount of sometimes-subtle misinformation out there about security either.) What is definitely true though is that the version of jQuery that Google hosts is well-examined by people to ensure that it is doing what it should, and that requiring all external content in a secure page to also come over a secure channel is a _good_ erring on the side of caution. The easiest way to do this is to not use the “`http:`” part of any URLs in the page, and instead “inherit” that from the page's own URL… – Donal Fellows Jan 06 '13 at 22:46