SSL is a well known protocol, and along with TLS, ensures that we can make secure transactions on the web. Most people do not know the underlying principles behind these protocols, but they know to look for the lock icon on their URL bar, and figure out that the information that they send to their bank, email provider, online store and others will be secure. By using SSL, we know that all of that information is encrypted, and nobody who may be listening in will be able to get our login information or financial details. This is a very good thing, and the support that browsers have for these protocols is thus very important.

However, a web page does not come in from a single location. A typical page is composed of many elements, sometimes hundreds. You have the HTML file, but also images, stylesheets, scripts, fonts and so on. So what happens if you connect to a secure site, but some of these assets come from an unsecured connection? This is what we call mixed content. You end up with a page that is secure, and has the SSL icon, but may also content images, scripts or more that came from a non-encrypted connection. Browsers have various ways to deal with this situation. Some will show you a warning message; others will simply use a broken lock icon. But the result for the end user is that they may realize something is amiss, but there is no easy way for them to know what exactly is not secure.

Starting with version 23, the Mozilla team decided that Firefox will simply stop allowing such a situation to occur. There already is an option you can turn on to block unsecured content on encrypted web pages, but from version 23, which is due on May 17, this will be turned on by default. Instead of seeing the mixed content, the whole connection will be dropped, and you will not see the content that was not encrypted.

Better for security

Mixed content is a big problem. You may think that if your actual form submission is through an encrypted port, then the rest of the page does not matter, but in reality there are multiple attacks that can be carried out. Any time unsecured content can be added to a page that should otherwise be secure, then you have an issue. What you end up loading may not be an image, but a script, and this script may be doing things you did not expect. If you have someone in the middle of your connection, doing a typical man-in-middle attack, then you may end up seeing what should be a legitimate script being replaced by a malicious one.

Also, the broken padlock or error messages that used to be provided were bad from a user point of view. They were cryptic, and did not provide enough information for a typical user to take a decision whether to allow this content to be loaded or not. Even if you wanted this content, you had no real way to find out whether the content was genuine, since you had no encryption or authentication. So this change is a very good thing. It solves the user interface issue, and the potential security problems.

How to test this change

With that being said, there are some people pointing out that this will break things. While webmasters should know better than to use mixed content, there are still a lot of sites out there using such a setup, for various reasons. Of course there is laziness, but also there are cases when you may wish to include resources from other sites, and those resources simply are not available through a secure connection. So if you make an encrypted site, and you try to load a script from another site, which is only offered through port 80, then you end up with mixed content.

However, the change should not break too many big sites. This is because Firefox is hardly the first to do this. Chrome started doing the same thing last year, first giving a warning message and eventually blocking content just like Firefox will. Internet Explorer is not that drastic, but since IE10, it does provide a warning message and requires the user to explicitly allow the content through. So again, webmasters have had time to fix their sites, if they haven’t already.

If you want to test this change now, you can use the about:config URL in your version of Firefox, and search for the key security.mixed_content.block_active_content, which is the setting that will be turned on by default. By changing it to true you are telling your browser that you want to block mixed content. (Firefox will display a warning when you go to auto config to make this change. Be careful when editing keys.) This is something any web developer or administrator should do to ensure that their own sites are not going to break. You only have a few weeks before this latest change occurs, so make sure you find the time to run a quick check on your own content.