Security - css files over http or https

Question

Scenario goes like this: Main parts of web site is on one server. All traffic goes over https. I have no control ovet this server.

Themes use css files and images from another server. Also over https. I have full control over this server.

How vulnerable is the main site (how and why) if css files and images would go over http? I am asking only about css and images.

I don't know how relevant is, but server is Apache and language is PHP.

---------------- edit ------------
So far, there is 'a man in the middle' attack who can change css and thus hide my content, introduce new images and add more text.
But can not create live links, or add js...

Here is a good discussion about this topic started by symcbean.

Answer 1

Any unencrypted HTTP connection can potentially be intercepted and modified by men-in-the-middle. That means, any resource you're retrieving via an HTTP connection is untrustworthy; it cannot be confirmed whether it's the original resource as intended. That means an attacker may be able to include resources in your page which you did not intend to include.

In the case of CSS files content can be altered on your site (display: none, content: "Please go to example.com and enter your password"), in the case of images exploits may be introduced (through buggy image decoding client-side), in the case of Javascript entirely arbitrary behaviour may be injected (e.g. sending all key-strokes to a 3rd party server).

Answer 2

A third party may modify those CSS or images to convey different things, either by tampering that data on the fly, or by spoofing the target. The browser would not know if is getting those from a reliable source, and probably would complain about mixed content issues. CSS3 has many features that may bring pictures from another domain or include unintended content.