TLS/SSL made 'insecure' in new topics (autogenerating images from links)

Meta
#1

When creating a new topic, links pasted into the working draft box sometimes generate images; for example:

*http://superuser.com/questions/288267/what-are-the-common-router-default-dhcp-ip-address-ranges

is automatically converted into

I notice that occasionally the accompanying images are served over HTTP rather than HTTPS, as in the case of placing a link to another post here in the forums; one example:

*VPN-How To Connect Successfully & Securely -UFW/OpenVPN/UbuntuMATE 15.04

automatically converts to

which includes the up/down arrow image, served over HTTP.

This of course produces the warning in Firefox shown here

indicating TLS/SSL security is undermined (green padlock next to the URL changes to a yellow caution triangle) because "some elements on this page are not secure".

Truthfully I don't know if TLS/SSL is seriously threatened by such a thing, but as a noob I tend to pay attention to my browser's warnings with perhaps more seriousness than they really warrant. And maybe this is intended behavior for the site, to pull image data over HTTP where necessary, since it doesn't pose any real threat. Just thought I would point out this is happening in some instances.

Ubuntu forum users, please read the following security advisory link
#2

I can confirm this happens, but there may not be much we can do to reduce this at the moment.

Unless the website you were linking to was harmful (ie. maliciously crafted images), it’s only a threat to your web browser until the forum automatically download its own local copy.

To reduce it, try to link images that have a https:// address.

#3

Thanks for this explanation. This is advice I can operationalize. :slight_smile:

I’m missing something here, though… In light of the above, certainly, it’s probably not critical.

For the sake of clarity, as I understand the process:

  1. Commenter adds https:// link to their comment
  2. https:// link is, in some cases, automatically converted by the site into stylized “block”, which happens to include an embedded image
  3. Embedded image within block is, in some cases, being served over http://

So the commenter has in effect linked to the image unwittingly (i.e., there was no point at which the commenter could check what image would be called by the site’s conversion of the link, let alone evaluate whether it would get fetched over http:// vs. https://

Of course, linking directly to images is a separate issue–and checking the address is https:// in such cases would be good practice.

#4

I’ll just clarify this a little clearer: The HTTP requests from the forum’s HTTPS is only a minor “threat” to the user’s web browser. It’s only an issue if the HTTP request was hijacked (highly unlikely) in a man-in-the-middle attack and the wrong (malicious) image was retrieved in your browser. The forum automatically downloads an externally linked image to prevent a dead link later.

Then as we know, once the forum has its own copy, the image is retrieved by via HTTPS. The system did that to one of my posts the other day.

We’re talking about images here – the link “blocks” probably apply too, when an image is determined based on the page contents, which may be done and linked over HTTP.