Https caution indicator from Firefox on Evilzone.org?

[shad0wingfir3]

Hi Evilzone, I wasn't sure where to post this, and did not find anything related via the search bar.

I am using Firefox (32.0) on Windows 8.1.
When I browse Evilzone  the normal https:// protocol is there. All is normal, except when viewing forum topics. It shows a triangle caution ! mark. I click on it and tells me..

"This website does not supply identity information. The connection to this website is not fully secure, because it contains unencrypted elements. (such as images)."

Is this by design, and what are the implications of this message? I'm just now learning about cryptography, and have a baby's understanding of HTTPS, and SSL. I am on my own network, and not paranoid, just curious. Thanks in advance!

--Shad0wingFir3

[proxx]

Iirc the board core has no native support for SSL over http which causes these errrors.
A few people looked at packet dumps , including myself and thus far found no leaking of sensitive data.

https://evilzone.org/hacking-and-security/session-hijacking-evilzone/msg72536/#msg72536
This might interest you.

Which includes a post from bluechill:

This is not possible in Alpha and is a flaw of SMF because SMF doesn't actually support SSL the way we want it to.  We've known about this for a long time and I brought it up to ande a while ago but what it came down to was: "SMF + SSL sucks and it's too much of a pain to fix"

This is before the fix.

[shad0wingfir3]

Cool, thanks proxx. Nice tutorial too! I have always heard of arppoisening, but never actually seen it in action. Glad to know SSL is stopping a potential listener from seeing my sessions!

Earlier today at the library, I got into someone's Yahoo email (they did not clear the history on the machine  ) and used their previous session to look at it. I attempted to change their twitter password, but then decided not to be a prick and logged out and did a data clear.

I'm sketchy when on public networks so I wanted to be sure it was okay to log into evilzone while away from home.

[shad0wingfir3]

The issue is caused by things like:

Code: [Select]

<img src="http://evilzone.org/Smileys/default/rolleyes.gif">
Notice that it says http:// and not https:// ? This warning is telling you that not every element that was loaded on the page is sourced from a secure location https. This means that while someone sniffing your connection wouldnt see most of the data sent to you on this page, they will see certain components, such as that smiley, that were not sent to you over the SSL connection.

That makes a lot of sense, no wonder the warning gives images as the example. Thank you for the clarification!

[Kulverstukas]

Also the cert is self-signed, so there might be errors related to untrusted source as well.

[proxx]

You sure? On my computer it says its a trusted certificate issued by RapidSSL?

It is trusted indeed.

[Stackprotector]

Almost all evilzone images are using https but the problem is when people supply a external avatar/signature. Though these site's will not have access to your data and or cookies.

[Resistor]

Iirc the board core has no native support for SSL over http which causes these errrors.
A few people looked at packet dumps , including myself and thus far found no leaking of sensitive data.

https://evilzone.org/hacking-and-security/session-hijacking-evilzone/msg72536/#msg72536
This might interest you.

Which includes a post from bluechill:
This is before the fix.

Nice thread. This is a MITM yes? Also, what is perse protection?


*Edited for you* next time just use the edit button.

It's insane how much better this forum is than hackforums. Thanks all for making this forum such a great learning enviornment.

Sorry for double posting. Bad habit. Tried to delete this post but doesn't look like I can.

[proxx]

Nice thread. This is a MITM yes? Also, what is perse protection?

Might be better to drop this in the actual thread.Yes that would an MITM.
Basically ; encryption
And it depends who you would consider enemies.

[Stackprotector]

Great:D then we'll need to check the smiley URL generator

[shad0wingfir3]

Great discussion guys, thanks for the help on clarifying the issue. I just found "HTTPS everywhere" from EFF for my Firefox setup researching the issue. A pretty cool find if you ask me. It still shows that caution (as expected), but it allows me to know that I have that little bit of extra security through it.

[Stackprotector]

Yes, an addon like that is a good practice