简体繁体 English

在银行的家庭银行网站的纯http上获取图像是否安全？

[英]is it safe to fetch an image on plain http on a bank's homebanking website?

原文 2016-09-27 23:58:54 3 1 security

I ask here instead of https://security.stackexchange.com/ because I dont think this question is on a professional level. 我在这里问的不是https://security.stackexchange.com/，因为我不认为这个问题是专业的。

I just saw something weird on my bank's website, they are fetching an image from another domain, using http instead of https , on firefox it raises a security "mixed content" alert, on chrome it just shows up an alert on the security tab. 我刚刚在我的银行的网站上看到了一些奇怪的东西，他们正在使用http而不是https从另一个域中获取图像，在firefox上它会引发一个安全的“混合内容”警报，在chrome上，它只会在安全标签上显示一个警报。

This is the site: https://www.bancoprovincia.com.ar/Principal/BipPersonal 这是网站： https : //www.bancoprovincia.com.ar/Principal/BipPersonal

The unsafe content (an image) happens to be on the page just before the user logs in to his home banking, I was worried that some attacker could intercept the content and replace it with something that could be a security risk. 不安全的内容（图像）恰好在用户登录其家庭银行之前的页面上，我担心某些攻击者可能会拦截该内容并将其替换为可能带来安全风险的内容。

Any chance this is a security risk for the bank and it's clients?. 这是否对银行及其客户构成安全风险？

1 个解决方案

It's not a direct vulnerability, but still bad practice. 这不是直接的漏洞，但仍然是不好的做法。

Some risks that come to mind: 我想到了一些风险：

An attacker having access to users' connections (man in the middle) could replace the image with a malicious one, exploiting potentially zero-day (as yet unknown) flaws in browser or operating system image processor libraries. 有权访问用户连接（中间位置的人）的攻击者可以用恶意的图像替换该图像，从而利用浏览器或操作系统图像处理器库中可能存在的零日漏洞（至今未知）。 This could lead to remote code execution on the client. 这可能导致在客户端上执行远程代码。
Replacing the image could also be used to facilitate phishing. 替换图像也可以用于促进网络钓鱼。 The malicious image could tell the user to call a phone number because of some kind of a problem, etc. 恶意图片可能会由于某种问题等原因使用户呼叫电话号码。
It is an information leak. 这是信息泄漏。 An attacker may receive information about users browsing to the bank website, also if the image is in a header included on all pages, they may receive information about what the user does. 攻击者可能会收到有关用户浏览银行网站的信息，而且，如果图像位于所有页面上的标头中，则攻击者可能会收到有关用户行为的信息。 This is inherently the case for every external site that has its images linked even over https, but over http this also applies to any MitM attacker. 对于每个甚至通过https链接其图像的外部站点，从本质上来说就是这种情况，但是通过http链接也适用于任何MitM攻击者。
It is a potential availability problem. 这是一个潜在的可用性问题。 If the image on the external site times out (waits too long to download), the page will not load for some time in some browsers and an attacker could exploit that. 如果外部站点上的图像超时（等待时间太长，无法下载），则该页面将无法在某些浏览器中加载一段时间，攻击者可能会利用它。 However, this I think is not affected by the image being served on plain http, it would affect an externally linked https image as well I think. 但是，我认为这不受在纯http上投放的图片的影响，它也会影响外部链接的https图片。
It's also a very bad practice, because instead of strengthening good security practices in users like always checking browser indications of a secure website, it is telling them that it's ok if there are warnings. 这也是非常不好的做法，因为与其像经常检查浏览器指示安全的网站那样，不像在用户中那样加强良好的安全性做法，而是告诉他们是否有警告。 It is not. 它不是。