What is Mixed Content?
When a website’s HTML (Hyper-Text Mark-up Language) code is loaded with security of HTTPS connection and contains resources that are loaded over an insecure HTTP connection, then it is called Mixed Content since both secure and insecure pages are being loaded for the same display page which causes error.
Mixed Content reduces the strength of HTTPS security as when there a request of any resource using the insecure HTTP the website becomes vulnerable and can be attacked by hackers and other malicious parties.
There are two types of Mixed Content –
1) Mixed Passive Content (or Mixed Display Content)
This type of mixed content comes into picture when there is HTTP content on an HTTPS website that cannot alter the Document Objected Model (DOM) of the webpage.
Examples are – image, video and audio loads.
2) Mixed Active Content (or Mixed Script Content)
This is the content that has access to and can even affect all parts of the Document Objected Model (DOM) of an HTTPS page.
Examples -
iframes, JavaScript, CSS, etc.
When a mixed content is generated different browsers show different symptoms –
- Firefox – A yellow triangle with an exclamation mark is seen on the padlock icon issuing a warning against the URL.
- Internet Explorer Version 10 – A warning message stating “Only Secured content is displayed” appears on the screen.
- Microsoft Edge – A warning message stating “You’re only seeing secure content” is displayed on the screen.
- Chrome – A warning symbol is displayed in front of the URL of the website indicating that the website is not secure and has mixed content.
SSL Certificates are issued to websites indicating that they are safe for usage and are protected against any malicious attack by hackers and secure the information of the user. But the SSL certificates issued to the website depend upon the Certificate Authority (CA) and they do not always function according to the prescribed regulations and often in many cases don’t do a proper verification and the sometimes issue them to insecure websites which is a threat to online security.
Since SSL certificates are mainly of three types and the cheapest being the Domain Validated SSL certificate which just requires an email verification of the owner and issue an SSL certificate. These websites are mostly run by malicious hackers and don’t take proper measures to avoid Mixed Content as they do not do proper verification before any upload. Hence the cheap SSL certificate is a big threat to web-security.
One of the easiest resources for finding mixed content on your website is “Why No Padlock?” Where one can enter the URL of the website and the site will automatically scan for any issues on the website.
Searching for Mixed Content is the first step in its removal process. This can be done by opening the source code of the website and searching for all the HTTP elements and then replacing them by HTTPS i.e. adding ‘s’ at the end of every HTTP appearing in the source code. This helps in eliminating the insecure sub-resources and thus defending the mixed content formation.
Steps to be Followed for the Removal of Mixed Content –
1) One way is to find the mixed content on the site by source code inspection and finding out the HTTP i.e. insecure sources and then replacing them by HTTPS.
2) Use Screaming Frog SEO Spider Tool.
3) Use the JitBit scanner.
4) Use the HTTPS checker.
The SSL Certificate provider is equally important for any website to avoid mixed content since the many CA’s are being unrecognized by most of the web browsers.
Fixing of Mixed Content –
Installation and Activation of the SSL Insecure Content Fixer plugin. After the activation is done we need to go to ‘Settings’ and in settings to the ‘SSL Insecure Content’ page to configure the plugin settings. Multiple levels of fixes are provided by the plugins for the mixed content.
To avoid any type of mixed content most of the browsers have started providing Mixed Content Blockers. For example- Firefox 23 has started providing mixed content blockers that block active mixed content which reduces the threat to the user, but cannot block it completely since passive mixed content is still permitted.
Users have to decide themselves whether they want to permit passive mixed content or not. For other versions of Firefox like 18, 19 and 20 the Mixed Content UI blocker has not been activated yet but Firefox is working on updating this issue in these versions.
Mixed Contents can be avoided if the sub-sources on a website are taken care of and are verified before providing their links on the website. SSL certificates also play a key role in blocking mixed content and should be bought only from trusted and verified Certificate Authorities.
More Resources
