The long-anticipated inclusion of mixed-content blocking in Mozilla Firefox is now at hand, with the security feature showing up in the just-released Firefox 23. The feature, which helps defend users against certain kinds of man-in-the-middle attacks, is on by default in the new browser.
Mixed content is one of the results of the spread of SSL-protected sites. It’s the term used to describe insecure content such as images, audio, video, JavaScript and CSS that are served on HTTPS pages. On a site that offers HTTPS, the main content of the page served to the user is protected and unreadable to an attacker as it moves across the network. However, the unsafe content, such as JavaScript or images, can be seen, intercepted and modified by an attacker in some MITM attacks.
That situation has made life somewhat difficult for browser vendors. They want to encourage users to take advantage of the secure connections offered by many sites these days, but they also want to display the full content of pages. But given the state of Web security these days, that’s not necessarily a great idea. The change in Firefox 23 addresses that issue without putting it into users’ hands. The new version of the browser blocks the most dangerous kind of mixed content–active mixed content–by default.
“The Mixed Content Blocker will block Mixed Active Content requests in Firefox 23. This reduces the threat to the user, but does not eliminate it completely because Mixed Passive Content is still permitted. Users can decide to block Mixed Passive Content as well by following a couple simple steps,” Tanvi Vyas of Mozilla wrote.
“To avoid generating a browser security warning, websites will begin removing Mixed Passive Content from their HTTPS sites by replacing HTTP images and videos with their HTTPS equivalent versions. When low bandwidth users visit the HTTPS site, all image loads and video streams would be encrypted and there would be considerable lag in the page’s load time and the time it takes for videos to buffer. With Mixed Active Content, bandwidth considerations are not as big of an issue since Mixed Active Content loads (ex: scripts, stylesheets) are usually a few KB, compared to Mixed Passive Content loads which often contain multiple MBs of data.
“The risk involved with Mixed Content (active or passive) also depends on the type of website the user is visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world, or it may have private data that is only visible when authenticated. If an HTTP webpage is public and doesn’t have any sensitive data, the use of Mixed Content on that site still provides the attacker with the opportunity to redirect requests to other HTTP URLs and steal HTTP cookies from those sites.”
For users, the change will present itself in the form of a shield displayed in the address bar whenever she visits a site with mixed content. Clicking on the shield will give the user the option to continue blocking mixed content or disable it on that site. One of the other key changes that this new feature brings is default blocking of frames on Web sites. Firefox considers frames mixed active content, which Google Chrome, for example, does not.
“A frame has the ability to navigate the top level page and redirect a user to a malicious site. Frames can also trick users into disclosing sensitive information to attackers. For example, assume a user is on an HTTPS page that embeds an HTTP frame. An attacker can MITM the frame and replace its content with a form. The form may ask the user to login or create an account. Most users are oblivious to the concept of framing pages and have no idea that it is the HTTP frame that contains the form and not the HTTPS website. Assuming they are on the HTTPS encrypted page, the user enters their personal information. This information is then sent to the attacker without the user’s knowledge,” Vyas said.