Home Base > Announcements & Issues
"I can't see photos in thread on xyz computer, but I can see them on my zyx"
vtsteam:
I believe that in Firefox and other Mozilla based browsers, passive mixed content (like photos) are not blocked. Only active mixed content is blocked.
So that would not affect viewing images on this website in Firefox.
John Rudd:
Having read the thread about your press, Inmade th3 changes suggested and saw all the photos, so that’s that fixed….for now., :lol:
vtsteam:
Since this issue has come up again recently, I want to clarify what I forgot to spell out earlier. HTTPS or "secure" HTTP" is actually a misnomer. It should really be called "encrypted HTTP". It is not a guarantee of a website being a safe website. It merely means that when your browser sends or receives information to that website, the data is encrypted both ways. And to do that, the website has purchased a "security certificate", and that certificate is actually just the user's key to the encryption, not a guarantee of quality. That's all.
Therefore, if a bad actor wants to send out malware, all that is needed is to set up a website, and purchase a security certificate. Encrypting data, doesn't make it good data, and just about anybody can purchase a security certificate.
Unfortunately a few browsers now blocking ALL linked photos simply because they are served as ordinary http serves no security purpose. Secure data encryption is only useful where needed for pages of financial transactions or other obviously sensitive purposes. All browsers have notification features to show when on an encrypted (HTTPS) page while doing transactions or other private operations.
Ordinary web pages and photos do not need to be encrypted. Who cares if you are viewing a lathe taking a ten thousandths cut? Does that need encryption? It's public on a forum anyway. Where is the need for secrecy? If required, the encryption process however does use up lots of additional processing power for both viewing computer and server, and slows communication throughout the web. It also makes smaller personally funded websites unviewable, if the owner can't afford security certificates or the time needed to maintain and renew them, which is substantial.
Okay, long story short: HTTPS is not "secure" it is "encrypted" and can be just as insecure if what is encrypted is itself bad data. While HTTP is not in itself a security risk, it's just not encrypted data. That some commercially oriented browsers now block it out of hand is a real problem.
AdeV:
HTTPS isn't just encryption - although that's a big part of it... the main advantage it has over plain old HTTP is it's immune to "man in the middle" attacks - the underlying transport protocol (TLS) ensures that the server which claims to be serving the data is, in fact, the server that's serving the data. With HTTP, any other server could, in theory, hijack the connection & silently inject its own code.
You're right that https doesn't guarantee the server is in fact safe. All it really guarantees is that the data arriving at your browser came directly from the server it claims to be.
vtsteam:
True, so remember, no more free rides, if you want to spread malicious code, you'll have to get a certificate to do it. Under a pseudonym, of course, with zero background checks. But by gosh the person on the receiving end can rest assured that the malware is genuine. And encrypted.
I propose another solution. Use a special browser for doing secured transactions, which require certificates, and another browser for surfing the web.. Eliminate the surfing browser's response to scripts and use plain html for providing useful information across the net. You can't inject code if a browser doesn't run it.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version