Im looking at migrating my website to https throughout. I have a server responsible for the HTML/PHP, and 4 other servers which serve image content
Now clearly all the image servers need to be https to prevent browser warnings, but I wonder..
Is there any requirement for the image servers to be the same encryption strength as the main SSL website? Or is it enough that they are served via https, regardless of key length and chosen cipher.
I cant really find anything conclusive about this on Google, but admittedly its a difficult topic to search for
This seems as though it could be browser-dependent, but in my experience, the browsers just require that replaced content in the page be loaded by HTTPS. They don't care what strength it is.
In brief , your correct to assume any external resource that is hosted on https:// with any type of SSL/TSL etc will cause no noticeable effect to any of your visitors.
We had this exact same question when we were forced to include some remote JS by our payment card processor.
After some research with every device and browser combination we could get hold of ( and using some web tools such as browsershots.org and modern.ie .
We found all the browsers we tested only reffered to the URL of the page loaded ( and it's headers ) when giving a padlock/secure connection logo to the client/visitor.
It is very common when including external JS/images/ widgets etc, for the included external resource / file to have vastly different cipher chains for TLS / SSL negotiation.
Even expert write-ups our own PCI standards daily scanner and industry expert resources we found like www.ssllabs.com, give you an overview and a grade on your servers ability to negotiate TLS/SSL/SPDY etc, they dont even load the document content, let alone look for any included external resources. They just look at your ability to handshake at the server level.
In our specific website /example providing support for the latest TLS versions along with googles new SPDY protocol, we awarded 'A+' by ssllabs.com and all browsers showing the secure logo, even though the page included an external javascript resource that allowed both outdated SSL3 and 64bit SSL yet none of the newer industry standard encryption.