0

Scenario goes like this: Main parts of web site is on one server. All traffic goes over https. I have no control ovet this server.

Themes use css files and images from another server. Also over https. I have full control over this server.

How vulnerable is the main site (how and why) if css files and images would go over http? I am asking only about css and images.

I don't know how relevant is, but server is Apache and language is PHP.

---------------- edit ------------
So far, there is 'a man in the middle' attack who can change css and thus hide my content, introduce new images and add more text.
But can not create live links, or add js...

Here is a good discussion about this topic started by symcbean.

Improve this question
6
  • Vulnerable against what?
    – PeeHaa
    Commented Nov 4, 2015 at 11:18
  • Also people will get errors when doing that because of unsafe resources
    – PeeHaa
    Commented Nov 4, 2015 at 11:21
  • I think this question fits better at security.stackexchange.com
    – Ivar
    Commented Nov 4, 2015 at 11:21
  • @PeeHaa: Good question but I have no clear answer. Simply because I don't know what security holes it can create (if any).
    – CoR
    Commented Nov 4, 2015 at 11:22
  • 2
    There's already a discussion on the topis at security.stackexchange: security.stackexchange.com/questions/37832/css-based-attacks
    – symcbean
    Commented Nov 4, 2015 at 12:20

2 Answers 2

Reset to default
3

Any unencrypted HTTP connection can potentially be intercepted and modified by men-in-the-middle. That means, any resource you're retrieving via an HTTP connection is untrustworthy; it cannot be confirmed whether it's the original resource as intended. That means an attacker may be able to include resources in your page which you did not intend to include.

In the case of CSS files content can be altered on your site (display: none, content: "Please go to example.com and enter your password"), in the case of images exploits may be introduced (through buggy image decoding client-side), in the case of Javascript entirely arbitrary behaviour may be injected (e.g. sending all key-strokes to a 3rd party server).

Improve this answer
11
  • changing src of css in the browser doesn't become vulnerable really.
    – Bhojendra Rauniyar
    Commented Nov 4, 2015 at 11:23
  • No but the content is... @BhojendraNepal
    – PeeHaa
    Commented Nov 4, 2015 at 11:23
  • 1
    You can or cannot accept all you want, but this answer is perfectly correct on every point
    – PeeHaa
    Commented Nov 4, 2015 at 11:26
  • 1
    @Bhojendra You do not seem to realise how powerful CSS can be for altering content, and what security implementations this may curtail.
    – deceze
    Commented Nov 4, 2015 at 11:26
  • 1
    @CoR Examples always depend on specifics. It should be enough that it's theoretically possible to do something you do not intend to be done on your site. Someone somewhere someday will develop this theoretical security hole into a practical exploit. You simply do not dismiss obvious entry points as harmless because you can't think of a concrete exploit right now.
    – deceze
    Commented Nov 4, 2015 at 11:33
0

A third party may modify those CSS or images to convey different things, either by tampering that data on the fly, or by spoofing the target. The browser would not know if is getting those from a reliable source, and probably would complain about mixed content issues. CSS3 has many features that may bring pictures from another domain or include unintended content.

Improve this answer
1
  • "include unintended content." can you name some for an example and clarity.
    – CoR
    Commented Nov 4, 2015 at 11:28

Not the answer you're looking for? Browse other questions tagged or ask your own question.