With all the trouble one can run into on the Internet, it is always a good idea to have as secure of a connection as possible. But what do you do when your browser says a secure website is not fully secure? Today’s SuperUser Q&A post has the answer to a worried reader’s question.
Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.
SuperUser reader David Starkey wants to know why his browser says a secure website is not fully secure:
I was accessing Pandora via SSL and noticed a few icons by the URL. First is this exclamation point in a triangle, indicating the page is not fully secure.
Next to it is a shield. This one says content that is not secure is blocked.
These statements, at least to me, seem to contradict each other. Can someone explain this to me? Is my connection secure or not? I accessed the Pandora website using Firefox 30.0 on Windows 7. I also have HTTPS Everywhere installed.
What is going on here? Is David’s connection to the Pandora website secure or not?
SuperUser contributor redburn has the answer for us:
This is called a “mixed content” page. From the Mozilla Developer Network (Mixed Content):
- If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted: the unencrypted content is accessible to sniffers and can be modified by man-in-the-middle attackers, and therefore the connection is not safeguarded anymore. When a webpage exhibits this behavior, it is called a mixed content page.
The statements are not contradictory, but complementary, and a little confusing perhaps. The first says the page itself is not fully secure because it contains unencrypted elements (all web browsers will notify you of this), whereas the second notes that these elements have been automatically blocked by Firefox.
If Firefox did not block the unencrypted elements, then strictly speaking, the page would not be secure.
HTTPS Everywhere does not guarantee a secure connection. It will only try to force HTTPS whenever it is available; if it is not, then there is nothing a user or browser can do about it outside of blocking the unsecure content.
Have something to add to the explanation? Sound off in the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.