Jay posted on this previously and we had a brief discussion surrounding it in the comments, but I wanted to bring this up again because I’m really not a fan of it, and I wanted to make sure people are paying attention. Oh yeah and discuss, discuss, discuss — let’s have some chatter 
I always had two pet peeves about a number of the websites I frequent. First, they frequently required me to whitelist them on NoScript, which I wasn’t a fan of and second, the SSL versions of the sites often gave large Mixed-Content warnings. These warnings are annoying, distracting and honestly disruptive to the user experience. I’ll be the first to admit to that. It seems that some browsers listened to these complaints. I just recently remembered when visiting my personal blog that these warnings no longer exist when using Firefox. Sure if you look in the bottom corner there’s a little red exclamation mark over the lock but it doesn’t contain the full screen warning that a Domain Mismatch or Self Signed Cert cause.
ComputerDefense.org via HTTPS
See it there, next to Fiddler: Disabled… a little time red exclamation mark. That’s all the warning you get. So what do other browsers do? Well, Chrome gives you a slightly bigger, yellow-ish exclamation mark in the address bar, yet it still allows the content to load. IE on the other hand brings up a pop-up (pictured below) prompting the user if they want to load the insecure data or not. It’s not as vocal as it could be, but it’s better than nothing.
IE Pop-up for Mixed-Content
So why am I blogging about this? After all I said they were annoying and distracting and it seems that the browser vendors are removing them. That’s a good thing… isn’t it? Nope, definitely not a good thing.
Let’s think about some of the pages that throw large, screaming, in-your-face type errors. Let’s take two examples, Self Signed Cert and Domain Mismatch. Now remember that the aim of SSL is two-fold. One is to provide verification of the source of the data, the other is to provide encryption.
Does a Self-Signed Cert provide encryption? Yes.
Does a Certificate with a Domain Mismatch provide encryption? Yes.
Does a site with Mixed-Content provide encryption? Partially.
Does a Self Signed Cert provide site verification? No.
Does a Certificate with a Domain Mismatch provide site verification? No.
Does a site with Mixed-Content provide site verification? Partially.
So Yes + No = In-Your-Face Error
Yet, Partially + Partially = Tiny Little Error in the Corner
I would say that Mixed-Content is more dangerous than both a Self-Signed Cert and a Domain Mismatch, yet they’ve been treated as more serious issues. I’m don’t understand that logic, and I’m not sure that I ever will.
