Mixed content

[jri]

I've found a bug where the website tries to load the New Log page over a secure HTTPS connection, but the integrity of the page is compromised by loading an image over HTTP (the icon showing the cache type). Mixing HTTPS (secure) and HTTP (insecure) content on the same web page is generally regarded as a bad thing in security terms.

 

As a more general issue, it is inconsistent that some parts of the website (notably the Maps page) will only load via a secure HTTPS link, while some only load over insecure HTTP (cache listings), but others happily load using either. The New Log page loads via HTTP if you click the "Log your visit" link on a cache listing, but HTTPS if you go directly from a popup on the Maps page. It's debatable whether anything other than account or payment details really needs to be sent securely, since most other things on the site are posted publicly anyway (cache submission forms, which could contain "secret" information, don't seem to be sent securely at the moment).

 

Keeping the whole site (less account info) on HTTP would reduce the burden on servers (no need for processing encryption). Making the whole site HTTPS might please some of the privacy advocates. The way it is at the moment is just confusing, because you're never entirely sure whether a page is supposed to be secure or not, and whether your browser's mixed content warning or insecure connection icon is something you should worry about.