Tag Archives: Mixed Content

Addressing Mixed Content Vulnerabilities

June 30, 2011 by Bruce Morton     1 Comment

I fail to understand why website operators continue to deploy sites with Mixed Content. Are the following trust dialogues presented to their users not sufficient incentive to correct the problem? Nevertheless, a recent study showed that 22 percent of sites use Mixed Content. Internet Explorer (IE) and Firefox present these security dialogues by default. That [Read More...]

Internet SSL Survey 2011

June 1, 2011 by Bruce Morton     1 Comment

Qualys SSL Labs has released its Internet SSL Survey Results for 2011, which were presented at Hack In The Box Amsterdam. The study focused on problems that break SSL due to poor website implementation — insecure session cookies, mixed content, incorrect site configuration and distribution of trust to third-party sites. The 2011 survey cross-referenced the [Read More...]

Filed Under: SSL Deployment Tagged With: Mixed Content, SSL, SSL Labs

HTTPS Performance Tuning

February 14, 2011 by Bruce Morton     No Comments

Following up my last post, “SSL is not computationally expensive anymore,” I noticed Google is still using a 1024-bit RSA certificate for Gmail. I did some digging and confirmed that the performance hit of using a 2048-bit RSA key is about five times that of 1024-bit key. So this could create a 5-10 percent load [Read More...]

Filed Under: SSL Deployment, Technical Tagged With: Mixed Content, Performance, SSL

SSLPersonas

December 16, 2010 by Bruce Morton     No Comments

  SSLPersonas is a Firefox extension that adds a little color to your secure browsing experience. When browsing an SSL protected web-site, the extension provides in-your-face visual feedback regarding the security of the site via a theme in the Firefox chrome at the top and bottom of the browser interface. The themes are as follows: [Read More...]

Filed Under: EV SSL, Secure Browsing, SSL Tagged With: Firefox, Mixed Content, SSL

SSL Deployment Mistakes

September 21, 2010 by Bruce Morton     1 Comment

In June, Ivan Ristic of Qualys SSL Labs made a presentation at the OWASP AppSec Research 2010 conference called Breaking SSL: Why leave to others what you can do yourself? Ivan contends that “SSL is a rare application security area where we can make things virtually 100% secure, with relatively small effort.”  However, he also [Read More...]