Don't panic!

The gray padlock with yellow triangle means your connection with the page was secured: what you send to and received from the site was encrypted in transit.

However, the page included one or more images that were called over an open (HTTP) connection, and Firefox allowed them. The yellow triangle is a warning about this, but in most cases, it doesn't cause any harm, which is why the images are not automatically blocked.

If you want to turn on blocking of HTTP address images in HTTPS pages, you can do that as an extra precaution. I can give you the steps if you want to try it out. But that is more paranoia than necessary for most people.

References:

• How do I tell if my connection to a website is secure?
• Mixed content blocking in Firefox

Thank you greatly for your reassuring response. The transmission contained a lot of highly sensitive information, therefore any risk is too much in this case. So, yes please supply the steps to block http images in https pages in the future. There was an earlier comment of yours on a similar topic: "You have a gray lock with the yellow warning triangle? That's troubling, it usually indicates that some content on the page was sent by HTTP instead of HTTPS." Could you kindly clarify the level of risk involved in sending and receiving sensitive data when the grey lock with yellow warning shows up? Just wanting to know if we need to follow up on any possible security breach. Thanks!

On a site that handles sensitive financial or health data, you should always have a green lock. But one of the complexities of assessing the seriousness of the problem is that you find out too late, and it depends on is the source of the HTTP images and how the site works.

I donated on a charity's site where I could tell from checking the Page Info dialog's Media list that the insecure image was their site icon (the one that appears on the tab). It's bad in the sense that my session cookies may have leaked -- I say may because sites can designate some cookies to be sent only over https, and it's difficult to check that -- increasing the risk that someone could hijack my session. But in that case, it would be too late: it was a one-time transaction with a "forward-only" page flow, so even if someone else were to trick the site using stolen cookies into showing a page I viewed (or some page of their choosing), they couldn't go to a critical page I had already left.

On email sites, the source of the mixed content ususally are either images embedded in a message or in an ad in the page. These sources would receive only their own third party cookies, so there is as far as I know no risk of your session being hijacked.

One occasional source of insecure images is an add-on that injects ads into pages. If you have any such add-ons, it would be a good idea to remove them. You can view, disable, and often remove unwanted or unknown extensions on the Add-ons page. Either:

• Ctrl+Shift+a (Mac: Command+Shift+a)
• "3-bar" menu button (or Tools menu) > Add-ons

In the left column, click Extensions. Then cast a critical eye over the list on the right side. All extensions are optional. If in doubt, disable or remove.

Often a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step.

And finally, to block HTTP images in HTTPS pages by default:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste mix and pause while the list is filtered

(3) Double-click the security.mixed_content.block_display_content preference to switch the value from false to true

I should mention that at least in some versions of Firefox -- I don't see it that often -- when you go "Back" to a secure page that previously had a green lock, Firefox may now show a gray lock/yellow triangle. That seems to be a bug: it reloaded content from cache and somehow lost track of its original secure origin status. If the problem occurs when you use the "Back" button and you think it would not cause your data on that page to be erased, you can reload the page and the green lock should return.

Thank you jscher2000 for your explanations. We were on an online tax return site by a supposedly reputable company while the security icon changed from green to grey lock with yellow warning. As you noted, on a site that handles such sensitive data we did not expect anything but a green lock and surely did not anticipate that it could change midway. We logged out as soon as we noticed this, but highly sensitive information had already been submitted by then.

Is there any way to find out with more certainty: 1. Is the transmitted data safe because it was encrypted even though the security of the site was compromised, evidently by HTTP images? 2. If not, what risk is the highly sensitive data exposed to?

Thanks so much for the tips. No add-ons were listed under Extensions, and the security.mixed.content.block value is now true.

Firefox's history doesn't show all the images loaded into that page, so I think at this point it isn't possible to determine exactly where the image came from. I suggest telling their tech support what you encountered and where you encountered it.

As I mentioned, a normal image is not a security threat, whether it is retrieved on an open connection or an encrypted connection. (Sometimes bugs are found where an image can crash the browser and run dangerous code, but you would have noticed that!)

The potential danger with HTTP images on an HTTPS site is when Firefox requests an image, it sends the source server any cookies it previously set that are not restricted to HTTPS connections. If that is the same server as the one on which you are currently active, and if those cookies were intercepted -- most likely on a public wi-fi hotspot, far less likely at home -- the interceptor could possibly have tried to join your session by going to the site home page and simulating your browser by submitting your cookies.

A well designed application would recognize the hijacking attempt and terminate the session immediately, forcing you to log in again and get a fresh set of session cookies. That's what you would want to hear would happen in that scenario.

Anyway, since you logged out immediately, it's unlikely anyone would have had time to impersonate you, and by logging out, you rendered any intercepted session cookies obsolete. So based on what you did, I think the risk of anything bad having happened is very low. But it's still a good idea to let them know about it.