Addressing Mixed Content Vulnerabilities

Bruce Morton

I fail to understand why website operators continue to deploy sites with Mixed Content. Are the following trust dialogues presented to their users not sufficient incentive to correct the problem? Nevertheless, a recent study showed that 22 percent of sites use Mixed Content.

Mixed Content warning from Microsoft IE8

Mixed Content warning from Mozilla Firefox 4

Internet Explorer (IE) and Firefox present these security dialogues by default. That means if your site has Mixed Content, approximately 65-75 percent of your users are seeing this warning. The problem is the user is trained to just click through the warning and not make a legitimate trust decision.

With IE9, Microsoft is trying to mitigate the user impact of Mixed Content. By default, IE9 will not display unsecured content delivered to an HTTPS page with the exception of unsecured images. For unsecure images, no warning is displayed; however, the lock icon is removed from the address bar. The idea is that only the image itself can be manipulated if it is delivered insecurely, but the image cannot be used to run a maliciously script. In addition, IE9 includes stronger protection against Mixed Content vulnerabilities in HTTPS-delivered frames by providing the Mixed Content warning even if the top frame is HTTP only.

Google Chrome currently does not deliver a Mixed Content warning. Chrome does display subtle indications in the address bar, but no pop-up. With Chrome 14, Google is planning to provide more useable information to the user by adding an info bar when a mixed-scripting vulnerability is detected.

Mixed script warning from Google Chrome 14

Both Microsoft and Google also provide improved tools to help website developers discover the source of Mixed Content warnings.

The lesson for website operators is the browser vendors are taking Mixed Content issues seriously and will continue to provide warnings to users that may impact traffic that visits your site. Best to get ahead of the curve and remove these vulnerabilities.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

1 Comment

  1. Interesting details on what browser vendors are doing in this area; particularly important as it’s likely that in a few years, “HTTPS will be everywhere” as the default protocol, and HTTP will seem like an undue risk.

    Some more thoughts here:
    http://blog.matthewskelton.net/2011/12/23/by-2015-https-will-be-everywhere/

Add to the Conversation