Mixed web content [LWN.net]

By Jake Edge
April 17, 2013

There are essentially two modes for retrieving content from the web: unencrypted plaintext using HTTP and encrypted with SSL/TLS using HTTPS. But there are quite a number of web pages out there that mix the two modes, so that some content is retrieved securely while other parts are not. These mixed content pages are of concern because it is difficult to properly warn users that an HTTPS page is potentially insecure because it is getting some of its contents from outside of the encryption protection. Mozilla is gearing up to block some mixed content by default and have a way to alert users to the presence of mixed content.

In a blog post, Mozilla security engineer Tanvi Vyas describes the background of the problem and Mozilla's plans for mixed content. Mixed content can be categorized by whether the insecure content is active or passive. Active content covers web resources like scripts, CSS, iframes, objects, and fonts. These are generally things that can affect the document object model (DOM) of the page. Passive content, on the other hand, cannot affect the DOM and includes things like images, audio, and video.

For fairly obvious reasons, mixed active content is a bigger problem than mixed passive content. That doesn't mean there are no issues with mixed passive content, as there are still privacy and other concerns, but mixed active content is much worse. A seemingly secure page with an https:// URL can instead be infiltrated by a man in the middle to steal credentials, web browsing history, secure cookies, and more.

Starting in Firefox 23, which should be released in mid-August, mixed active content will be blocked by default. Mixed passive content will not be blocked by default, at least partly to try not to contribute to "security warning fatigue" (i.e. warning so frequently that users get overwhelmed and just click "continue" all the time).

According to Vyas, code for mixed content blocking started landing in Firefox 18, but a user interface was not added until Firefox 21 (which is still in beta and should be released in mid-May). Those who want to try out the feature can set the security.mixed_content.block_active_content (active) and security.mixed_content.block_display_content (passive) about:config options to true. Prior to Firefox 21, though, changing those values and reloading the page will be the only way to override the settings.

In her blog post, Vyas goes into a fair amount of detail about the changes made to the user interface in support of mixed content blocking. For one thing, mixed content pages will no longer get the "lock" icon in the address bar, so that users will hopefully be less complacent about them. A new shield icon is used to indicate content that has been blocked, with user-interface elements to disable the blocking for the page (seen at right). That is one of the missing pieces for the earlier versions of Firefox, so per-page blocking and unblocking of mixed content cannot be done.

There are some edge cases to consider, including frames and fonts, both of which have been classified as active content by Firefox (though Chrome, for example, considers frames to be passive). While technically a frame can't alter the DOM of the page, it can do various tricks to fool users into entering sensitive information into insecure frames. Other tricks are possible too. Fonts are another case that are treated as active even though they cannot change the DOM. A malicious font could change what a page says, though, and blocking an HTTP font on a secure page won't break anything since the browser will fall back to a default font. In any case, it is believed that mixed font content is rare.

Many web users will remember the "HTTP content on an HTTPS page" complaint that browsers pop up—some may still be seeing them—though most have probably disabled the message because it is shown too frequently. Instead of a pop-up, simply blocking the content is likely to prove a much better experience, both from a security and a usability perspective. It will also hopefully help site owners and designers find ways to avoid mixed content on the web.

(Log in to post comments)

Mixed web content - at lwn.net

Posted Apr 18, 2013 16:25 UTC (Thu) by corbet (editor, #1) [Link]

Suffice to say that ad networks are a pain. Turn off advertisements and this particular problem should go away entirely.

Mixed web content - at lwn.net

Posted Apr 25, 2013 21:07 UTC (Thu) by jmorris42 (subscriber, #2203) [Link]

Yup, sucks to be a niche site so poor you must accept ads. But this move won't affect the greater Internet since ads are so rare out there; so Moz will totally win with this move. Yup, and those few ads still out on the Internet are of course delivered by companies happy to pony up for the CPU power to serve their annoying animated gifs (and nasty script bits.. i.e. active content) over safe https links. Because Firefox is the dominant player on the Internet and all. [/snarky]

Anyone care to get a pool going on the following two lines:

1. How many points of market share Firefox drops in the next three months.

2. How many months before the default choice is changed to one more amendable to the needs of the commercial nature of today's Internet?

Mixed web content - at lwn.net

Posted Apr 25, 2013 21:58 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

If you think that most of the Internet is ad-free, you are seeing a very different Internet than I am (even vendor sites have vendor ads on them)

Mixed web content - at lwn.net

Posted Apr 25, 2013 22:07 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

That was clearly sarcastic and you seem to have missed that.

Blocking uncrypted content from encrypted pages... WIN!

Posted Apr 29, 2013 10:42 UTC (Mon) by shane (subscriber, #3335) [Link]

I don't see why Firefox's market share would drop at all. This change would result in advertisements disappearing... if anything this should encourage people to shift right? (The posted complaint was about Internet Explorer 8, after all.)