When users visit a website secured by an SSL Certificate, they expect their data to stay safe. But what happens if only part of the site is secured? Below is a scenario that illustrates one example of what could happen.
Scenario
You visit your favorite retail site to do some shopping. The site, example.com, is secured with an SSL Certificate and you know the site is safe by looking at the lock icon in the address bar and the URL beginning with HTTPS. As you’re shopping, you see an advertisement for an interesting product, so you click on the ad which directs you to another site. This new site appears to be safe, and you may think it is no more than an extension of example.com. However, as you’re clicking on product details you unknowingly download malware on your computer that steals your information.
This is a situation that can happen regularly. It is important to know that if a site secured with an SSL Certificate displays content (such as ads, images, videos, etc.) from unsecured HTTP connections, it is considered to have mixed content.
Types of Mixed Content
There are two types of mixed content: passive and active. While active mixed content generally poses more of a threat, both types can compromise the security of a website. Users should be aware of how mixed content can affect their browsing experience and how they can avoid mixed content security issues.
Passive Mixed Content
Passive mixed content includes audio, image, and video files that are pulled from HTTP connections. Loading any type of content over an HTTP connection can cause data leakage, such as cookie information being exposed. An attacker can leverage the mixed content on a webpage and replace or alter the image, audio, or video files to files the attacker chooses. They can also lure users with an image and redirect them to the attacker’s unsecured website. However, the good news regarding passive mixed content is that the attacker is not able to affect other aspects of the webpage itself.
Active Mixed Content
Of the two types of mixed content, active mixed content is more dangerous. It includes any type of script file. Script that is pulled from an HTTP site onto an HTTPS site creates a window where an attacker could trick the HTTPS site into pulling their own (malicious) script instead. Unlike passive, active mixed content can affect the webpage itself, not just images or videos. Because it can affect the webpage, an attacker could intercept unsecured communications between the user’s browser and the web server, making a man-in-the-middle possible. Luckily for system admins and users, active mixed content is blocked by browsers in most cases.
Best Practices
Whether mixed content is blocked by browsers or not, it is a best practice to secure not only a webpage, but all resources on the page. System admins can make sure sites pull content from HTTPS only resources by updating their HTML. Also, third-party content should explicitly use HTTPS when embedded. If there are pages accessible via both HTTPS and HTTP, use protocol relative URLs when embedding resources.
SSL Certificates are de facto standard for Internet security, but when a site displays mixed content, that security is compromised. At best, users may be bombarded with inappropriate images or aggressive ads. At worst, their information could be stolen. Since stolen information could tarnish a site’s brand reputation, it is best to be aware and take the appropriate measures to avoid such results.