Firefox to Block Mixed Content

Bruce Morton

FirefoxCongratulations, Mozilla, on your plan to release Firefox 23 that will block mixed content.

Website owners who have mixed-content pages will surely be impacted and should make changes. Along with Firefox, Internet Explorer, Chrome and Opera already block mixed content. This means the users of the site will get trust warnings or the browser’s security indication (i.e., lock icon) may not be present.

What is Mixed Content?

Mixed content is presenting an SSL secured webpage with content (e.g., JavaScript files, images, CSS files) that is not transmitted over SSL. The insecure content makes the page insecure. An active man-in-the-middle (MITM) attack can piggyback on the unprotected resource and hijack the user session.

Firefox 23 blocks mixed active content and changes the security display for mixed passive content. Firefox graphics for mixed content can be seen in the Mozilla post.

Mixed Active Content

Mixed active content can change the behavior of the HTTPS webpage and potentially steal sensitive data from the browser user. A MITM attacker can intercept requests for the HTTP active content, re-write the response, and perform actions such as: steal login credentials, acquire sensitive user information or install malware on a user’s system.

When Firefox 23 sees active content (e.g., JavaScript, CSS, objects, xhr requests, iframes and fonts) it will block the request from the HTTPS page.

Mixed Passive Content

Mixed passive content has limited effect on the HTTPS website. The attacker could replace an image with an image of inappropriate material or inappropriate information to the user. The attacker would not have the ability to impact the rest of the webpage.

However, the attacker could watch the images or other information such as the headers and the cookies. If the image is served from the same domain as the main webpage, then the HTTPS protection becomes useless.

When Firefox 23 sees passive content (e.g., images, audio and video loads) then it will block the passive content by default, but will change the security display of the page by not showing the lock icon.

How Does a Website Operator Fix the Problem?

First, be careful as to what you link to your webpage. Do you own or control the content? If not, I would consider not allowing any third-party mixed content.

For content that you own or control, please protect it with an SSL certificate. If you cannot protect with SSL, then do not link to that content.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

0 Comments

Add to the Conversation