https://bugzilla.wikimedia.org/show_bug.cgi?id=16822
Brian Jason Drake <brianr...@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |brianr...@gmail.com --- Comment #8 from Brian Jason Drake <brianr...@gmail.com> 2010-12-29 16:24:49 UTC --- (In reply to comment #0) > Currently we pull images (and CentralNotice JS) from > http://upload.wikimedia.org even for pages accessed over SSL on > https://secure.wikimedia.org/ > > [snip] > > 2) A MITM attacker could replace your images with something malicious/nasty > (moderately annoying) > > [snip] It’s more than “moderately annoying” [0]. You said it yourself: the images could be replaced with something “malicious”. It’s more obvious how this could be a security risk when you consider that images could be used by gadgets or user scripts. [0] “How to Deploy HTTPS Correctly” <https://www.eff.org/pages/how-deploy-https-correctly> (“Mixed Content” section) -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l