This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox Security Certificate reports mixed content on secure page: Production & Nightly

  • 5 replies
  • 3 have this problem
  • 15 views
  • Last reply by LukeUofT

more options

Hi Firefox,

I’ve been doing some searching but have been unable to find this issue being discussed in a similar case. We (the University of Toronto) are running Microsoft’s Office365 service to provide email to our students. The security issue presents itself after several seconds after the OWA page loads and occurs regardless of user activity on the page.

Initially, as the page loads, the browser indicates that the site is secure. Shortly thereafter the browser indicates that there are insecure elements on the page. However, from our diagnostics (Firefox developer tools, Firebug, Wireshark) we cannot identify any non-encrypted traffic. We have contacted Microsoft support and they have assured us that our connections to their servers are secure. The issue presents shortly after loading the inbox view of OWA. Initially the page is shown as being secure:

[Figure1: page secure notice] [Figure2: Security details when secure]

However shortly after the page loads, with no user action, the indicator will change to show the page has security issues.

[Figure 3: Mixed content warning] [Figure 4: Security Details]

The indication is that there is a problem with mixed content. The certificate is unchanged.

[Figure 5: Certificate Details]

The problem has been reproduced as of May 6, 2014 on a fully patched version of Windows 8.1 running a clean install of nightly; on a fully patched Windows 7 running a clean install of production Firefox 29.0; and on OSX 10.9.2 on a factory reset re-install of production 29.0.

I’m wondering if anyone can shed any light on this behavior and advise a path to incorporate corrective action into subsequent releases of Firefox?

Thanks in advance, Luke

Hi Firefox, I’ve been doing some searching but have been unable to find this issue being discussed in a similar case. We (the University of Toronto) are running Microsoft’s Office365 service to provide email to our students. The security issue presents itself after several seconds after the OWA page loads and occurs regardless of user activity on the page. Initially, as the page loads, the browser indicates that the site is secure. Shortly thereafter the browser indicates that there are insecure elements on the page. However, from our diagnostics (Firefox developer tools, Firebug, Wireshark) we cannot identify any non-encrypted traffic. We have contacted Microsoft support and they have assured us that our connections to their servers are secure. The issue presents shortly after loading the inbox view of OWA. Initially the page is shown as being secure: [Figure1: page secure notice] [Figure2: Security details when secure] However shortly after the page loads, with no user action, the indicator will change to show the page has security issues. [Figure 3: Mixed content warning] [Figure 4: Security Details] The indication is that there is a problem with mixed content. The certificate is unchanged. [Figure 5: Certificate Details] The problem has been reproduced as of May 6, 2014 on a fully patched version of Windows 8.1 running a clean install of nightly; on a fully patched Windows 7 running a clean install of production Firefox 29.0; and on OSX 10.9.2 on a factory reset re-install of production 29.0. I’m wondering if anyone can shed any light on this behavior and advise a path to incorporate corrective action into subsequent releases of Firefox? Thanks in advance, Luke

All Replies (5)

more options

Accompanying figures.

more options

So, nothing shows in the Web Console (Firefox/Tools > Web Developer) when you filter for mixed?

See also:

more options

Plenty of things show, however the page is still shown as secure after all activity stops in the console the page is still secure.

These are the last for console events:

POST https://pod51030.outlook.com/owa/service.svc [HTTP/1.1 200 OK 160ms] POST https://pod51030.outlook.com/owa/service.svc [HTTP/1.1 200 OK 200ms] POST https://pod51030.outlook.com/owa/service.svc [HTTP/1.1 200 OK 160ms] POST https://pod51030.outlook.com/owa/service.svc [HTTP/1.1 200 OK 1072ms]

a few seconds later is when the warning indicator appears. There is no console event around this time.

more options

Maybe it is about OCSP checks for certificates.


more options

When I manually inspect the certificates before and after Firefox reports the change in state They appear to be identical.

Is there a way to check OCSP traffic in Firefox?

Additionally, there is a 'Light' version of the interface that doesn't make use of all the fancy JavaScript and there is not the same issue with mixed content.