Addressing Mixed Content Vulnerabilities
I fail to understand why website operators continue to deploy sites with Mixed Content. Are the following trust dialogues presented to their users not sufficient incentive to correct the problem? Nevertheless, a recent study showed that 22 percent of sites use Mixed Content.
Internet Explorer (IE) and Firefox present these security dialogues by default. That means if your site has Mixed Content, approximately 65-75 percent of your users are seeing this warning. The problem is the user is trained to just click through the warning and not make a legitimate trust decision.
With IE9, Microsoft is trying to mitigate the user impact of Mixed Content. By default, IE9 will not display unsecured content delivered to an HTTPS page with the exception of unsecured images. For unsecure images, no warning is displayed; however, the lock icon is removed from the address bar. The idea is that only the image itself can be manipulated if it is delivered insecurely, but the image cannot be used to run a maliciously script. In addition, IE9 includes stronger protection against Mixed Content vulnerabilities in HTTPS-delivered frames by providing the Mixed Content warning even if the top frame is HTTP only.
Google Chrome currently does not deliver a Mixed Content warning. Chrome does display subtle indications in the address bar, but no pop-up. With Chrome 14, Google is planning to provide more useable information to the user by adding an info bar when a mixed-scripting vulnerability is detected.
Both Microsoft and Google also provide improved tools to help website developers discover the source of Mixed Content warnings.
The lesson for website operators is the browser vendors are taking Mixed Content issues seriously and will continue to provide warnings to users that may impact traffic that visits your site. Best to get ahead of the curve and remove these vulnerabilities.