AnsweredAssumed Answered

Cap grade at D if the server has mixed content or 3rd party scripts

Question asked by Richard Neill on Nov 6, 2015
Latest reply on Nov 6, 2015 by Rob Moss

I just discovered our web devs have done 2 bad things....

 

1. Include mixed content (some served by http, some by https)

2. Include 3rd party scripts (JS and fonts from a CDN) - which leak information to that CDN - complete with http-referer as well!

 

Given that the whole point of SSL is to maximise security, and that OCSP is designed to stop even the SSL-issuer from being able to see traffic analysis,

I think that this is not good.  Yet, when I tested with the SSL labs tool, we still got an "A+", which in my view we didn't deserve, and which made me overlook this mistake.

 

Can I suggest that, if the server's home-page commits either of these sins, you should cap it at D ?

 

Thanks,

 

Richard

Outcomes