Re: [Full-disclosure] insecure elements in https protected pages



On Oct 18, 2009, at 6:03 PM, Mohammad Hosein <mhtajik@xxxxxxxxx> wrote:

in a certain web application e.g gmail there are times the whole
communication is secured by ssl and sometimes "there are insecure
elements" that raise questions . i'm not a web professional . how to
find these insecure elements ? and how to evaluate if these elements
are the results of a successful man in the middle attack or not ?

Insecure elements in a secure page wouldn't be the result of a man in
the middle attack. That would require being in the middle of the
https connection in order to change the content of the page.

If you're already in the middle of the https connection in a non-
obvious way, why downgrade to http?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/