The proliferation of SSL-protected sites has been a boon for security conscious Web users in the last couple of years, as more and more sites have taken the step of offering encrypted connections for sensitive sessions. But one of the problems that’s cropped up is that the dynamic nature of today’s Web means that content often is pulled from a variety of remote sites, and if that content isn’t considered safe, it can cause problems on an otherwise secure page. To help protect users against insecure content on these sites, Mozilla is adding a feature to Firefox that will block mixed content by default.
The main issue caused by the use of mixed content on secure pages is that it can leave users open to man-in-the-middle attacks. The appearance of HTTPS in the address bar gives users the sense that all of the content on a site is safe, but that is not always the case. A script or image or other piece of content loaded from a remote site could be unsafe and used as part of an attack. In Firefox 23 and later, Mozilla will begin blocking some of this mixed content, which will take some of the burden off users who are trying to determine which sites are safe.
Firefox won’t block all mixed content by default, but Mozilla officials say that the most dangerous types of such content–especially scripts–will be blocked right out of the box.
“The browser security community has divided mixed content into two categories: Mixed Active Content (like scripts) and Mixed Passive Content (like images). Mixed Active Content is considered more dangerous than Mixed Passive Content because the former can alter the behavior of an HTTPS page and potentially steal sensitive data from users. Firefox 23+ will block Mixed Active Content by default, but allows Mixed Passive Content on HTTPS pages,” Tanvi Vyas of Mozilla wrote.
This new feature now is in the Firefox Beta, and will be showing up in the final release of Firefox 23. For users, the Web experience will be much the same, with the addition of a shield icon in the address bar whenever the browser has blocked mixed content. Firefox is just the latest browser to add this kind of security measure. Both Google Chrome and Microsoft Internet Explorer already employ something similar.
Though the changes for users will be minimal, mixed content blocking may have more of an effect on site owners and developers. For site owners, the change may cause some headaches on SSL-protected pages.
“If you rely on HTTP resources in your HTTPS pages this feature might break your website. If you do find Mixed Content issues on your webpage in Firefox 23+, chances are that the same issues exist in Chrome and/or Internet Explorer, who have also implemented this feature,” Vynas said in a blog post. “If the Mixed Content resources on your page come from a third party, there is a chance that the HTTPS equivalent version already exists. For example, youtube.com has both HTTP and HTTPS video embed options.”
Users who want to check out the new feature can download the Firefox Beta.