Security

How to test Firefox 23 change on unsecured content before it happens

Mozilla announced that the next version of its browser, Firefox 23, will automatically block unsecured content on encrypted web pages. You can check how that change will affect your own or other websites now.

SSL is a well known protocol, and along with TLS, ensures that we can make secure transactions on the web. Most people do not know the underlying principles behind these protocols, but they know to look for the lock icon on their URL bar, and figure out that the information that they send to their bank, email provider, online store and others will be secure. By using SSL, we know that all of that information is encrypted, and nobody who may be listening in will be able to get our login information or financial details. This is a very good thing, and the support that browsers have for these protocols is thus very important.

However, a web page does not come in from a single location. A typical page is composed of many elements, sometimes hundreds. You have the HTML file, but also images, stylesheets, scripts, fonts and so on. So what happens if you connect to a secure site, but some of these assets come from an unsecured connection? This is what we call mixed content. You end up with a page that is secure, and has the SSL icon, but may also content images, scripts or more that came from a non-encrypted connection. Browsers have various ways to deal with this situation. Some will show you a warning message; others will simply use a broken lock icon. But the result for the end user is that they may realize something is amiss, but there is no easy way for them to know what exactly is not secure.

Starting with version 23, the Mozilla team decided that Firefox will simply stop allowing such a situation to occur. There already is an option you can turn on to block unsecured content on encrypted web pages, but from version 23, which is due on May 17, this will be turned on by default. Instead of seeing the mixed content, the whole connection will be dropped, and you will not see the content that was not encrypted.

Better for security

Mixed content is a big problem. You may think that if your actual form submission is through an encrypted port, then the rest of the page does not matter, but in reality there are multiple attacks that can be carried out. Any time unsecured content can be added to a page that should otherwise be secure, then you have an issue. What you end up loading may not be an image, but a script, and this script may be doing things you did not expect. If you have someone in the middle of your connection, doing a typical man-in-middle attack, then you may end up seeing what should be a legitimate script being replaced by a malicious one.

Also, the broken padlock or error messages that used to be provided were bad from a user point of view. They were cryptic, and did not provide enough information for a typical user to take a decision whether to allow this content to be loaded or not. Even if you wanted this content, you had no real way to find out whether the content was genuine, since you had no encryption or authentication. So this change is a very good thing. It solves the user interface issue, and the potential security problems.

How to test this change

With that being said, there are some people pointing out that this will break things. While webmasters should know better than to use mixed content, there are still a lot of sites out there using such a setup, for various reasons. Of course there is laziness, but also there are cases when you may wish to include resources from other sites, and those resources simply are not available through a secure connection. So if you make an encrypted site, and you try to load a script from another site, which is only offered through port 80, then you end up with mixed content.

However, the change should not break too many big sites. This is because Firefox is hardly the first to do this. Chrome started doing the same thing last year, first giving a warning message and eventually blocking content just like Firefox will. Internet Explorer is not that drastic, but since IE10, it does provide a warning message and requires the user to explicitly allow the content through. So again, webmasters have had time to fix their sites, if they haven't already.

If you want to test this change now, you can use the about:config URL in your version of Firefox, and search for the key security.mixed_content.block_active_content, which is the setting that will be turned on by default. By changing it to true you are telling your browser that you want to block mixed content. (Firefox will display a warning when you go to auto config to make this change. Be careful when editing keys.) This is something any web developer or administrator should do to ensure that their own sites are not going to break. You only have a few weeks before this latest change occurs, so make sure you find the time to run a quick check on your own content.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

16 comments
Deadly Ernest
Deadly Ernest

So, it will ask and you can set it to allow as a whole or in a case by case basis as I have been doing for years with certain plug in, as have a lot of other FF users. It does beat the hell out of being asked by MS Internet Explorer if you trust a web site every time you visit it after they stop paying for a MS approved certificate. Even when I tell MSIE I trust the site and to let ti happen, it will ask again the very next session. The funny thing about MSIE constabtly asking me about the site that no longer pays for an MS approved security certificate is the system it happens on is a Win 7 Enterprise system that belongs to an International non profit organisation I do volunteer work for and the system accesses the organisations website throough a VPN into their server and the hits the web pages or goes out via their gateway. FF asked the first time I hit the site and never again as I said I trusted it, but MSIE has to annoy me by asking every time I open the browser.

goldenpirate
goldenpirate

"... but since IE10, it does provide a warning message and requires the user to explicitly allow the content through." Sorry patrick, you got that one wrong. Internet Explorer has been providing this message since IE7 ( i think - its been a while) but i do know that IE8 certainly does (because its my main browser - and before anyone shouts at me to update IE, cant because M$ stopped version upgrading IE for XP.)

DAS01
DAS01

My Firefox 20 is "up to date". Are you saying ("the next version is 23") that Firefox cannot count?

Deadly Ernest
Deadly Ernest

both XP a 7 Enterprise on a couple of sites that stopped paying for an MS apprived certificate, and it matter not how many times I tell MSIE it's OK, the next session I get asked again.

Slayer_
Slayer_

I don't recall if I got it in IE4. But that message was always irritating, every site seemed to have insecure stuff with secure stuff.

Greenknight_z
Greenknight_z

I'm running a test build of Fx 23, and having no problems here.

Slayer_
Slayer_

The bug is probably permanent. TR probably has to code around the problem.

mudpuppy1
mudpuppy1

I still can't get the Reply or Edit links to work unless I open in a new tab (except on Smart Planet)..

Greenknight_z
Greenknight_z

The next version of Firefox will be Fx 21, which is currently in Beta. The author apparently doesn't understand the Firefox testing process. Fx 23 is currently in Nightly builds, which is the pre-alpha test build channel - that's where new features are first pushed to the wider testing community. I run those builds all the time, they're usually stable and have auto-update. They're months away from final release, though. All that happens in May is that Fx 23 moves to the alpha channel, badged Aurora. These builds also update each night, but new features are not introduced at that stage. Six weeks after that it will move to Beta, where it will receive updates only as needed - this is the point where it's first badged as Firefox. If all goes according to plan, on Aug. 6 It will finally be released.

mudpuppy1
mudpuppy1

MS did this with Office back in the Stone Age (1990s) when they went from 4.3 to 6 because Word Perfect was at 6 and they didn't want to seem to be behind. I'm sure others have done similar. Not sure why Firefox is doing it though. My version is 20.0.1.

DAS01
DAS01

Thanks for explanation, Greenknight_z.

DAS01
DAS01

I did not know it either, so it can't be THAT common... :-) I am glad somebody asked...

Slayer_
Slayer_

Must not be that common after all.