Mixed content blocking in Firefox
- Revision id: 39391
- Creator: tanvi
- Comment: First draft
- Reviewed: No
- Ready for localization: No
When you visit a page served over HTTP, your connection is open for eavesdropping and man-in-the-middle (MITM) attacks. When you visit a page served over HTTPS, your connection with the web server is authenticated and encrypted with SSL and hence safeguarded from eavesdroppers and MITM attacks.
However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The webpage that the user is visiting is only partially encrypted, since some of the content is retrieved unencrypted (in cleartext) over HTTP and hence accessible to sniffers and can be modified by MITM attackers.
The Mixed Content Blocker blocks potentially harmful HTTP requests on HTTPS pages.
What are the risks?
There is additional risk involved with Mixed Content when visiting a site that contains sensitive user data. If the website contains private data that is only visible when authenticated, mixed content on the page could read the user's data, steal a user's credentials and take over their account.
If an HTTP webpage is public and doesn’t have any sensitive data, the use of Mixed Content on that site still provides the attacker with the opportunity to redirect requests to other HTTP URLs and steal HTTP cookies from those sites.
For more information Mixed Content, see https://developer.mozilla.org/en/Security/MixedContent.