I always had two pet peeves about a number of the websites I frequent. First, they frequently required me to whitelist them on NoScript, which I wasn’t a fan of and second, the SSL versions of the sites often gave large Mixed-Content warnings. These warnings are annoying, distracting and honestly disruptive to the user experience. I’ll be the first to admit to that. It seems that some browsers listened to these complaints. I just recently remembered when visiting my personal blog that these warnings no longer exist when using Firefox. Sure if you look in the bottom corner there’s a little red exclamation mark over the lock but it doesn’t contain the full screen warning that a Domain Mismatch or Self Signed Cert cause.

ComputerDefense.org via HTTPS

See it there, next to Fiddler: Disabled… a little time red exclamation mark. That’s all the warning you get. So what do other browsers do? Well, Chrome gives you a slightly bigger, yellow-ish exclamation mark in the address bar, yet it still allows the content to load. IE on the other hand brings up a pop-up (pictured below) prompting the user if they want to load the insecure data or not. It’s not as vocal as it could be, but it’s better than nothing.

IE Pop-up for Mixed-Content

So why am I blogging about this? After all I said they were annoying and distracting and it seems that the browser vendors are removing them. That’s a good thing… isn’t it? Nope, definitely not a good thing.

Let’s think about some of the pages that throw large, screaming, in-your-face type errors. Let’s take two examples, Self Signed Cert and Domain Mismatch. Now remember that the aim of SSL is two-fold. One is to provide verification of the source of the data, the other is to provide encryption.

Does a Self-Signed Cert provide encryption? Yes.
Does a Certificate with a Domain Mismatch provide encryption? Yes.
Does a site with Mixed-Content provide encryption? Partially.

Does a Self Signed Cert provide site verification? No.
Does a Certificate with a Domain Mismatch provide site verification? No.
Does a site with Mixed-Content provide site verification? Partially.

So Yes + No = In-Your-Face Error
Yet, Partially + Partially = Tiny Little Error in the Corner

I would say that Mixed-Content is more dangerous than both a Self-Signed Cert and a Domain Mismatch, yet they’ve been treated as more serious issues. I’m don’t understand that logic, and I’m not sure that I ever will.

My (current) browser of choice Chrome defines Mixed Content Errors as;

“Your connection to www.website.com is encrypted with 128-bit encryption. However this page includes other resources which are not secure. These resources can be viewed by others in transit, and can be modified by an attacker to change the look or behavior of the page.”

Oh Noes!

Royalbank serving up mixed content

Here is HSBC doing so on its homepage

Here are two Foriegn Canadian Fails

And I think this one was my favorite because I found it on National Bank’s Confidentiality Policy page.

I want to start a discussion about the dangers of Mixed Content in SSL Sessions.

• Are these things serious?
• Did my lock icon pop open to alert me of an attack?
• What part of this session IS encrypted and what part ISN’T?
• Where are my cookies going?
• What is the most malicious thing you can think of injecting into a Mixed Content SSL Session?