Hi
I have questions about security
I am using mozila to access gmail as https://mail.google.com/mail
Why mozilla prompts me the alert box?
"You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party."
1/ Can network software help to check? if yes. which software and how?
2/ How mozilla knows I have data not encrypted?
3/ ls https secured? If not. why it is PCI?
Thank you
Send instant messages to your online friends http://uk.messenger.yahoo.com
adrian kok wrote:
Hi
I have questions about security
I am using mozila to access gmail as https://mail.google.com/mail
Why mozilla prompts me the alert box?
"You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party."
1/ Can network software help to check? if yes. which software and how?
2/ How mozilla knows I have data not encrypted?
3/ ls https secured? If not. why it is PCI?
Thank you
Send instant messages to your online friends http://uk.messenger.yahoo.com
This message is saying that Google is including things using http:// in the site. This is common with Images. The login is still secure, just they just are not using SSL for some things.
[ ~ ] >> lynx --dump mail.google.com/mail|grep http\:\/\/
http://gmail.com/app. [1]Learn more
1. Browse All of Google's Products & Services - Google
2. Can't sign in to your Google Account - Google Account Help
3. http://mail.google.com/mail/signup
4. http://mail.google.com/mail/help/intl/en/about.html
5. http://mail.google.com/mail/help/intl/en/about_whatsnew.html
6. http://www.google.com/apps/intl/en/business/gmail.html#utm_medium=et&utm_source=gmail-signin-en&utm_campaign=crossnav
7. Gmail | Google Blog
8. http://mail.google.com/mail/help/intl/en/terms.html
9. Gmail Help
Yup, what Larry said.....I wouldn't be too concerned about it. But some managers may make a big deal...
Some sites use images located at a different webserver that isn't HTTPS, and sometimes there are
hidden iframes that bring you info from non-secure sites. But the actual login is posted to an HTTPS server.
Hope that helps.
Brandon
Follow me:
twitter.com/brandontek
Well... that's almost, but not quite, correct.
The warning is because you may see a padlock displayed because the *outside*
frames are https:// but there are iframes/CSS/images/whatever that have been
fetched via other means - which creates 2 risks:
1) Those elements fetched via http:// traveled in the clear, and were thus
visible to a sniffer. And yes, there's web designers stupid enough to do
captcha graphics and bank records and similar via http://, causing an
information leakage problem going from the site towards the user
2) Given the joys of javascript, etc, there are a number of security issues
with mixed-mode pages. A discussion of some of them is here:
http://code.google.com/p/support/issues/detail?id=3400
Note particularly the injection problem - if you're at a wifi hotspot or
similar, somebody can replace the non-secure parts and suddenly control the
horzontal and vertical on your page, while you still think it's secure.
(Yes they can screw with totally non-secure pages too, but a lot of people
implicitly trust https: more than http:)