Google has confirmed that the latest versions of the Chromium platform will protect against "mixed scripting" vulnerabilities that might be hiding within secure http (https) pages.
Google Chrome security team members Chris Evans and Tom Sepez said in a blog posting that vulnerabilities can arise from a gap between https pages and embedded components in the page itself.
In some cases, a page may be using a secure connection to encrypt data, while a component may be using an unsecure connection. Data travelling to and from the component could be intercepted by a man-in-the-middle attack.
"A man-in-the-middle attacker (such as someone on the same wireless network) can typically intercept the http resource load and gain full access to the web site loading the resource," said the researchers. "It's often as bad as if the web page hadn't used https at all."
Google is updating Chromium to alter the address bar for risky pages to help guard against mixed scripting and less-severe "mixed display" flaws, which allow an attacker to use an unsecure script to alter the look of a page.
New icons in the browser bar will notify users when a possible mixed scripting vulnerability is spotted on a site. Vulnerabilities will be flagged by bright red strike-through text for mixed script conditions and faded grey text for mixed display issues.
The new version of Chromium will also disable scripts on vulnerable sites by default, and display a bar allowing the user to reload the page with the script running.
The feature will be enabled for the Chromium 14.0.785.0 and later releases.
Should you link your data sets to add value, or leave them separate to reduce risk?
Can process camera images in real-time at up to 171 frames per second
Graphene and Kevlar used to make 'the world's toughest' shoes
Ecostress instrument will provide new insights into water usage and plant health on Earth