Categories: Security

Mixed Content Blocker hits Firefox Beta!

The Mixed Content Blocker we described last month is now available in Firefox Beta and is on track for a general release in August with Firefox 23. When secure HTTPS pages load additional content insecurely over HTTP (a.k.a. Mixed Content), users are vulnerable to man-in-the-middle and eavesdropping attacks. The Mixed Content Blocker will block insecure active content by default, protecting our users from these attacks.

Call to Users – Report problems
If you find a website that isn’t functioning correctly because it contains insecure content that is being blocked by the Mixed Content Blocker, please let us know by sending an email to security@mozilla.org or commenting in our compatibility tracking bug

How can you tell if a site has Mixed Content that Firefox has blocked? Look for this Shield Icon in the location bar.

Image: A small shield icon is shown before the web page address in the location bar when Firefox has blocked Mixed Active Content.

If you’d like to contribute further and help us find compatibility issues you can participate in our QA test day on Monday, July 1st.

Call to Web Developers – Test your site with Firefox Beta
If you rely on HTTP resources in your HTTPS pages this feature might break your website. If you do find Mixed Content issues on your webpage in Firefox 23+, chances are that the same issues exist in Chrome and/or Internet Explorer, who have also implemented this feature.

The best way to tell if your site will load correctly in Firefox 23 is to download the latest Firefox Beta and browse through your website with the Web Console open. Enable the “Security” messages in Web Console and check for messages about Mixed Content.

Image: The Web Console lists the Mixed Display Content that's loaded and the Mixed Active Content that's blocked.

If you want to test your site in a more automated fashion, you can try using Skipfish, a web application security tool. Skipfish has a -M option that will report mixed content issues on your webpage.

To fix your site, simply replace http:// links with their https:// equivalents on your SSL pages. You can also use protocol-relative links if you use the same source code to serve your HTTP and HTTPS website.

If the Mixed Content resources on your page come from a third party, there is a chance that the HTTPS equivalent version already exists. For example, youtube.com has both HTTP and HTTPS video embed options. If the HTTPS version does not exist, consider contacting the third party (especially if they are one of your partners) and ask them to provide an HTTPS version of the content.

Call to Contributors – Contact Sites
We’ve been working on site compatibility issues, trying to find websites that are affected by the Mixed Content Blocker and alert them before Firefox 23 is released in August. However, finding accurate contact information for the affected sites has been a difficult task. And we could really use some help 😉

If you would like to contribute, please take a look at the list of affected sites and see if you can contact their website administrators and inform them of the Mixed Content compatibility issues that they are about to run into with Firefox 23 (and likely already have with Chrome or Internet Explorer). If you are able to find contact information and/or alert the website please let us know in the associated bug.

You can also help find more affected sites by participating in our QA test day on Monday, July 1st.

Want to Learn More?
Check out a more detailed blog post on this feature here.

4 comments on “Mixed Content Blocker hits Firefox Beta!”

  1. XBOZ wrote on

    Just my curiosity question. Most of the 3rd party ad network runs on HTTP. So that will affect the ad market too. What do you say?

    1. Daniel Veditz wrote on

      Yes, it will. If your ad network requires running insecurely-served script on someone’s secure site that negates any possible reason that site was using SSL. Ad networks will either have to supply a secure version (many already do!) or go back to old-style banner ads that won’t get blocked.

  2. Michael wrote on

    VERY bad idea

    until ssl can be decentralised and allow people to encrypt stuff without involving any third parties.

    if i see even one case of a non-ssl site being blocked because it doesn’t want to buy into buying trust or want a risk of anyone arriving via port 443 being presented with a popup designed to scare them away I will consider it broken and seriously compromised

    enough of this nonesense

    sure some of us do want to be able encrypt private studd .. but not if it means giving untusted companies power to frighten out users away!
    and ONLY on private stuff .. I’m not going to WASTE RESOURSES encrypting public stuff!
    (so mixed content is a MUST)

    until that is fixed it will be SSL NOWHERE

    scammers have way too much power in this world .. please don’t sell out to them1
    encryption cannot be considered secure if untusted third parties have any involvement in whether or how it can be used.

    adding something that might present new visitors with malware like popups would be like adding malware to the site .. I won’t do it,

    after reading this .. I have to say on this day firefox made me sad

    if it starts blocking anything I will be forced to start telling people to use a different browser

    I won’t sell out any buying trust extortion scam

    1. Daniel Veditz wrote on

      > sure some of us do want to be able encrypt private stuff […]
      > and ONLY on private stuff .. I’m not going to WASTE RESOURCES
      > encrypting public stuff! (so mixed content is a MUST)

      Why are you encrypting the private stuff, that is, what threats are you worried about? We allow mixing static content like images. We are only blocking “active” content (e.g. scripts) that can compromise the private stuff for any conceivable reason you made it private in the first place.

      > until that is fixed it will be SSL NOWHERE

      That’s a legitimate worry. Not so much in the case where private data is really at risk–in that case we’re helping the site secure their data–but sites where the SSL guarantee of content integrity was a “nice to have” may get discouraged. Of course they had less guarantee than they thought, but if it was public content there’s no eavesdropping gain so they’re less likely to be attacked anyway. A malicious ISP or proxy could take advantage of it to inject their own ads, but not too many people have started to worry about that yet.

      > if it starts blocking anything I will be forced to start telling people to use
      > a different browser

      This has become a consensus among the browser vendors–as noted above Chrome and IE already do this. You can, however, disable the feature in Firefox through preferences. Pretty buried right now but I fully expect someone’s going to make an add-on to make it easy by time Firefox 23 is released.