Discrepancy or error in Firefox documentation regarding mixed content
While trying to make a purchase, I noticed that Firefox flagged the web page with insecure mixed content. However, the browser info contradicts the official documentation.
The browser states, "Information you submit could be viewed by others (like passwords, messages, credit cards, etc.). Your connection is not private and information you share with the site could be viewed by others."
Yet according to the documentation, the orange triangle icon indicates passive mixed content. It states, "Attackers may be able to manipulate parts of the page like displaying misleading or inappropriate content, but they should not be able to steal your personal data from the site."
This seems like a contradiction. The browser is telling us that our information could be compromised, while the documentation states that attackers should not be able to access personal data.
Can you please clarify which one is correct? Also, if the browser is misleading, it should be corrected in a future update. If the problem is with the documentation, it should be updated.
BTW, I noticed that the website had Google Analytics objects embedded. Could that be the source of the insecure HTTP content?
Can websites with passive mixed media content be trusted with sensitive data?
Additional System Details
- Shockwave Flash 32.0 r0
- User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Firefox blocks two types of mixed content: passive and active.
Passive content is basically just data that Firefox will display, like an image or video. Passive content can be swapped by a malicious actor with fake data. For example, someone could swap an image file if they really wanted to. But passive content doesn't interact with the page. It's just displayed, so there's not really a risk of personal information being captured.
Active content is basically content that can interact with the page, like a script. Since this content has access to the content on your screen and can manipulate parts of it, it's more dangerous because it has the ability to capture your data.
The Mixed content blocking in Firefox (which I assume is the documentation you are referring to) is indeed correct. The error message in Firefox that you have pointed out is a generic message that displays for both passive and active content, which is why it discusses the possibility of data being captured.
Hope this clarifies the situation for you.
You can check the Web Console to see what mixed content this is about. You can type mixed in the Filter bar.
- "3-bar" menu button or Tools -> Web Developer
Since this account was made earlier today I haven't made any text to you. I've explored during the tme the account was made. These may be text that was by me a month ago? I don't know how they've resurfaced.
I also deleted the same text a couple of hours ago and it came back.
I will do what I can to correct the problem. Thank you Mozilla
If the above information does not resolve your issue, please consider creating a new thread containing the specific details of your issue.
Doing so will allow the Mozilla volunteers to give you solutions that are more helpful to you. This may help them to solve your problem faster and more efficiently.
Please, feel free to post the link to your thread on this thread for volunteers interested in assisting you.
Wesley - Alvis did not create this thread. I did. You can see that my user name is Angie.
Regarding you answer, you stated, "... there's not really a risk of personal information being captured."
I'm not a cyber security expert. That being said, I am aware that images have been used by hackers as exploits, not just for social engineering. For example, hackers have used steganography to embed arbitrary code in image files.
This affected Android phone users and has since been patched, but I wonder if something similar couldn't be pulled off in a browser on any device. Simply viewing the image caused the malicious code to run.
If this is indeed the case, then the FF documentation should be corrected. Malicious code could potentially be embedded in insecure images and when executed, steal sensitive data.
In any case, I don't think it's a good idea to use a generic notification in the browser that seems to conflict with the official documentation. Everyday users will not understand the detail involved here. It will be challenging for them to interpret the warning.
Cor-el - thanks for the tip! It was helpful. I actually tried doing this before I posted the OP. For some reason, I didn't do this step correctly the first time :-( I see now that the mixed content refers to a few images on the page.
Alvis - Please don't hijack my thread. Please open your own separate thread, as Wesley has suggested.
Yes, you could use practices like steganography to hide malicious content in an image or other media file. However, generally speaking, you would need to do something to extract and run the content on your computer. Typically, this requires some other piece of malware on your system or another script to do that.
The warning message that you see is the "worst case scenario" message, for users who don't look into it any further.