Security question : What is "Mixed Content Handling" ?

  • Hello,

    I've just tested my browsers security with the site https://www.ssllabs.com and I noticed a section with very different results : Mixed Content Handling

    Here is the result in Opera [12.17] :
    Opera

    Here is the result in Firefox [34.0] :
    Firefox

    Does it means my Opera has security issues ? Why are the results in Opera red-colored, as if it was a vulnerability ? Thank you for any help/clarification.

  • That means, content from unsecured pages (loaded with out SSL) are displayed in pages with SSL connection.

  • The risk is that information displayed in/by a listed "mixed content" category is not routed via secure https web protocols, and is thus open to being read or modified by an attacker. What that means is that the insecure http content on a mixed-content page can, in principle, be replaced by an outside attacker to make it look as though it's part of the secure page, and might lead a user into giving up private information to it, thinking it's actually secure.

    The security of content in a https page is normally guaranteed by the communications protocols used, the encryption used by the page server/browser combination, and by the certificates possessed by the visited site (and negotiated with the visiting browser). Content in an http page is guaranteed by nothing... it can be read by anyone along the path, and it can be spoofed in a variety of ways (including dns hijacking or man-in-the-middle attacks). Mixed content is where an https supposedly-secure page, credentialed to the user by the site's security certificates, contains page elements that are pulled from insecure http sites... and which are thereby vulnerable to malicious manipulation or eavesdropping.

    If it truly matters from a user-identity-protection standpoint, a user should avoid browsers/settings that allow mixed content modes. If the security needs are mild (non-financial, etc), the user may choose to ignore the issue.

  • Thank you gwen-dragon for your answer.

    Thank you very much blackbird71 for your answer and for your explanation.

    If it truly matters from a user-identity-protection standpoint, a user should avoid browsers/settings that allow mixed content modes

    How to avoid that ? Where are those settings in Opera ? I have looked for "mixed", "content" & "handling" in opera:config page, and it doesn't offer me any settings about that ...

  • Normally, one can at least hover over the "badge" symbol at the left end of the browser's address box... on most browsers, it will convey by appearance the "secure" status of the site being visited. Further details generally can be obtained by clicking on the badge. That should allow the observant user to avoid such sites... but it requires user habitual attention to avoid such sites. Some browsers, by design, will block users from accessing mixed-content sites altogether if the mixing results from certain specific causes or kinds - such blocking behavior may or may not be defeatable by settings, depending on the browser.

    I believe that with Presto Opera versions (12.17 and older), you're largely stuck with whatever the browser provides as default behavior. While one can use browser settings to block some things that might contribute to mixed content (such as scripting or I-frames), the settings will tend to function universally for the browser (if done via the general preferences panel) or for the entire site (if done using Site Preferences). The result of those approaches may be to break necessary legitimate functionality on the https part of the site content.

    Frankly, this is all part of how one should select their primary browser (but unfortunately enters in to most folks' decisions all too rarely), and is also indicative of the impact of obsolescence on an aging browser from an era where such things were just becoming recognized as significant.

  • @blackbird71 Sir, you're really helpful. Thank you

Log in to reply
 

Looks like your connection to Opera forums was lost, please wait while we try to reconnect.