X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

some https sites displaying message "you have requested an encrypted page which contains some unencrypted information

Posted

I am using Firefox 13.01 on a Mac os an I am using electronic box a Canadian ISP. I receive the message when i go to https://www.youtube.com/results?search_query=electronicbox and a few others

"you have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party."

The message clearly states that infomraiton can be read or enter can be read by a third party. I would like to know why "youtube" which has https, or SSL service which I am using still displays that message?

Additional System Details

Sites Affected

http://

Installed Plug-ins

  • Shockwave Flash 11.4 r402
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in web pages. For more information, visit the QuickTime Web site.

Application

  • User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20100101 Firefox/13.0.1

More Information

Some other sites display the message with a https: request.

jscher2000
  • Top 10 Contributor
2384 solutions 21079 answers

In a future version, Firefox will let you actually block the insecure content from loading. Currently, you only get a warning.

On that page, the following are loaded using HTTP instead of HTTPS:

http://i4.ytimg.com/vi/pzXFzdwFGnk/hq1.jpg
http://i3.ytimg.com/vi/0LbbLLfsFvg/default.jpg

Perhaps it is not a coincidence that these images are in the ads I see at the top and bottom of the page. eBay recently was reported to have a similar problem with its ad server in this thread: Ebay sign in page does not have padlock-states only partially encrypted..IE has padlock. Why is ebay's sign in page not secure in Firefox? FF Version 14.0.1.

finitarry 157 solutions 2178 answers

If it is YouTube, why worry about it? If you were buying something or doing banking, then do worry about it.

helenrbeaupre 0 solutions 6 answers

I get this when I go into my gmail or facebook account--not exactly reassuring! As a result, I have NOT used Mozilla firefox for these applications even though I would like to--especially since firefox has automatic spelling corrections along the way. Any suggestions on how I can prevent this message from coming up?

jscher2000
  • Top 10 Contributor
2384 solutions 21079 answers

Hi helenrbeaupre, my guess would be that most insecure content issues in Gmail and Facebook are caused by advertising. You might test an ad blocking add-on and see whether that resolves the issue. I haven't used any of them myself, so can't make a particular recommendation.

helenrbeaupre 0 solutions 6 answers

I picked the most popular Firefox ad-blocker (Adblock Plus) and didn't get this annoying error message! Thank you so very much for helping me with this--it has been a nuisance for months and prevented me from using firefox comfortably--despite many other great features!

helenrbeaupre 0 solutions 6 answers

Unfortunately, this ad blocker only worked for a couple of times--then I got the error message again. It really does prevent me from using Mozilla Firefox comfortably. Any other suggestions?

cor-el
  • Top 10 Contributor
  • Moderator
10780 solutions 97024 answers

You can either disable that error message (there should be a check-box on the pop-up alert and only leave the basic globe instead of the padlock on the location bar) or use a normal http connection until YouTube has sorted this out and only serves secure content if you use a secure https connection.

helenrbeaupre 0 solutions 6 answers

Helpful Reply

Unlike an earlier user, I am not using youtube when I get this message. I am trying to get into my gmail, yahoo mail and facebook--not sites I want to compromise my security with! I would really really appreciate help figuring out this annoying pop-up. Thanks for any suggestions.

cor-el
  • Top 10 Contributor
  • Moderator
10780 solutions 97024 answers

You should not be seeing this alert on Gmail or other (premium) e-mail and bank sites.
Facebook can force a secure connection via its settings, but may not work properly with all its applications (games) if you do.
Large sites like Yahoo and Facebook are usually not designed to work properly with a secure connection as they may have ads from a lot of sources, so you may have to access them via a normal http connection.

helenrbeaupre 0 solutions 6 answers

I like using Mozilla Firefox for Facebook because it has spell check. Are you saying I cannot use Mozilla Firefox for Facebook or Yahoo email? This doesn't seem right to me! Also, I DO get this error message when trying to enter my gmail. Currently, I am using Avira security software. I'm about to stop using Mozilla Firefox because of this error message. Any other solutions or advice is greatly appreciated. Should I try re-loading Firefox?

jscher2000
  • Top 10 Contributor
2384 solutions 21079 answers

You could consider using the NoScript extension as an alternate way to control which content loads into a page. When you first start using NoScript, you will find yourself visiting its menu frequently to unblock sites that you want to be able to run scripts. Over time, as you build your list of approved sites, you won't need to use the menu as often.

helenrbeaupre 0 solutions 6 answers

Helpful Reply

Appreciate your suggestions, but this is sounding too complicated for me--especially since I just read Google Chrome is the most secure browser. I may just start using Chrome. Thanks very much anyway!

jodyCoolness 0 solutions 6 answers

The main problem is how this condition is handled. When the browser detects this situation, it breaks it's response into two, with the encrypted portion sent but the unencrypted part delayed until the user answers the dialog. In my case the first response seen by the server is a GET, and the second is a POST containing the form data needed to process the REQUEST (both GET and POST) properly. By the time the sever sees the POST data it has already processed the GET data and deems the response invalid, since there was no POST data to go along with the GET data.

Unless Mozilla decides to restore the preference option to disable this warning (this warning has been irritating people for 4 years now, and there was an option to disable the warning in older versions of Firefox) this bug should be fixed by holding the entire response (POST and GET data, encrypted or not) until the user answers the warning dialog to continue.

When the entire response is sent together it can be properly processed, just like other browsers do. This is a real bug in Firefox.

finitarry 157 solutions 2178 answers

helenrbeaupre,

Even if you blocked that warning message for mixed content, the situation would still be there, and the icon in the address bar would still not be a secure padlock image. It is possible to block that message from about:config.

security.warn_viewing_mixed - setting to false blocks the warning

jscher2000
  • Top 10 Contributor
2384 solutions 21079 answers

Hi jodyCoolness, I don't understand your scenario: you have two requests to your server, one GET and one POST, and either the POST is not using SSL (why?) or there is an intervening insecure request to an external server (can that be avoided)? Why is there a race condition between your two requests: can't you wait for the POST to complete before making your GET request?

jodyCoolness 0 solutions 6 answers

I have a simple Joomla website with a shopping cart component. It contacts paypal using an https, encrypted URL to pass the shopping cart data.

Once the user pays for the items a link is provided by paypal to return to the sellers website. That link takes the user to another paypal page that has an automatic redirect to the seller's website, and a manual link to click if the automatic redirect fails.

As soon as the redirect fires or you click the manual link to return, you get the popup in Firefox (versions 16.0.2 & 18.0.2 for Mac OSX tested).

All of this behavior is dictated by Paypal. For some crazy reason, where other browsers respond with GET and POST data in one http handshake session, occurring in close proximity in time and where they are treated as a singular request to be processed, Mozilla splits the response going back to the seller website (containing order payment confirmation info) into separate GET and POST segments, with the GET segment going out right away and the POST being held back waiting for an answer to the warning prompt to continue or not. No other browsers exhibit this behavior.

As I suggested, all of the data should be returned at the same time, so it is processed as a singular response, not split into two.

The paypal pages reside on a secure, ssl encrypted server. The Joomla website is on an unsecured server, and that's where the response is being returned. The paypal page is encrypted, but contains a form of unencrypted POST data. This data is sent only after the user answers your security warning dialog. However, a GET response with a few data items is sent immediately when the timer fires or the link is clicked to submit the form. The GET data is sent back prematurely, before the user answers the dialog. Who cares if the GET portion is secured; I suspect that's why it is sent apart from the POST data. The form is presented below.

<form method="post" id="merchantredirectform" name="merchantredirectform" action="http://7639.myhost.com/staging/shamansjoy/index.php?option=com_caddy&action=paysuccess" class=""> <input type="hidden" name="mc_gross" value="19.95"> <input type="hidden" name="protection_eligibility" value="Ineligible"> <input type="hidden" name="address_status" value="confirmed"> <input type="hidden" name="item_number1" value=""> <input type="hidden" name="payer_id" value="3NX4GG3FKXTA4"> <input type="hidden" name="tax" value="0.00"> <input type="hidden" name="address_street" value="1 Main St"> <input type="hidden" name="payment_date" value="14:06:31 Feb 14, 2013 PST"> <input type="hidden" name="payment_status" value="Pending"> <input type="hidden" name="charset" value="windows-1252"> <input type="hidden" name="address_zip" value="95131"> <input type="hidden" name="mc_shipping" value="0.00"> <input type="hidden" name="mc_handling" value="0.00"> <input type="hidden" name="first_name" value="buyer"> <input type="hidden" name="mc_fee" value="0.88"> <input type="hidden" name="address_country_code" value="US"> <input type="hidden" name="address_name" value="buyer beware"> <input type="hidden" name="notify_version" value="3.7"> <input type="hidden" name="custom" value="68"> <input type="hidden" name="payer_status" value="verified"> <input type="hidden" name="business" value="testad_1345151796_biz@7639.myhost.com"> <input type="hidden" name="address_country" value="United States"> <input type="hidden" name="num_cart_items" value="1"> <input type="hidden" name="mc_handling1" value="0.00"> <input type="hidden" name="address_city" value="San Jose"> <input type="hidden" name="payer_email" value="testad_1345151513_per@7639.myhost.com"> <input type="hidden" name="verify_sign" value="AFcWxV21C7fd0v3bYYYRCpSSRl31AtHmDldhBfGwbbFzyHfoF1S0qDEI"> <input type="hidden" name="mc_shipping1" value="0.00"> <input type="hidden" name="tax1" value="0.00"> <input type="hidden" name="txn_id" value="9AG49331WD439184V"> <input type="hidden" name="payment_type" value="instant"> <input type="hidden" name="last_name" value="beware"> <input type="hidden" name="address_state" value="CA"> <input type="hidden" name="item_name1" value="Shaman's Joy Salve (Salve) 2 Ounce Jar"> <input type="hidden" name="receiver_email" value="testad_1345151796_biz@7639.myhost.com"> <input type="hidden" name="payment_fee" value="0.88"> <input type="hidden" name="quantity1" value="1"> <input type="hidden" name="receiver_id" value="FBL476UVL2PHL"> <input type="hidden" name="pending_reason" value="paymentreview"> <input type="hidden" name="txn_type" value="cart"> <input type="hidden" name="mc_gross_1" value="19.95"> <input type="hidden" name="mc_currency" value="USD"> <input type="hidden" name="residence_country" value="US"> <input type="hidden" name="test_ipn" value="1"> <input type="hidden" name="transaction_subject" value="68"> <input type="hidden" name="payment_gross" value="19.95">

Thanks for your order

Your payment of $19.95 USD is complete.

You're now going back to Shaman's Joy Test Store.

If you are not redirected within 10 seconds, <input type="submit" value="click here" id="merchantReturnLink" name="merchant_return_link" class=""> .

     
 <script type="text/javascript">

PAYPAL.util.Event.onDomReady( function() { setTimeout("document.forms.merchantredirectform.submit()", 4000); } );

 </script>

<input name="auth" type="hidden" value="ALElRB3MXSef63k5H5CyhwKmcgkB4vzZh05er2.RxbqXO8u0k9Ws9W28oXCAuK1X4WdvMkoo-D1p3SZmozlKu6Q"> </form>

philipp
  • Top 10 Contributor
  • Moderator
2051 solutions 8919 answers

hello jodyCoolness, if you suspect this is a general issue with firefox, please file a bug at bugzilla.mozilla.org. thanks!

jscher2000
  • Top 10 Contributor
2384 solutions 21079 answers

Hi jodyCoolness, I don't know why a GET is being sent, I can't see any reason for that.


In case one of your add-ons is interacting with the form, could you try Firefox's Safe Mode?

First, I recommend backing up your Firefox settings in case something goes wrong. See Back up and restore information in Firefox profiles. (You can copy your entire Firefox profile folder somewhere outside of the Mozilla folder.)

Next, restart Firefox in Firefox's Safe Mode (Troubleshoot Firefox issues using Safe Mode) using

Help > Restart with Add-ons Disabled

In the dialog, click "Start in Safe Mode."

You also could disable any uncommon add-ons here:

orange Firefox button or classic Tools menu > Add-ons > Plugins category

Any change?

jodyCoolness 0 solutions 6 answers

As suspected there is no change with add ons disabled.

I don't know what the rationale was to get rid of the option that provides control over this warning, but IMO it should not have been removed as an option.

I don't know why there are two sets of data being returned, or why a subset of the data is considered to be encrypted, which is probably the reason for the two sets of data.

I have googled this issue and see similar complaints about it for 4 years now. Isn't it about time you started listening to your users and fix this?

Firefox has been my favorite browser for many years, but I am hearing more and more feedback from experienced web developers that it is no longer a quality product, in terms of the number of bugs reported and the subsequent releases to fix them.

My post is probably the most detailed you are going to get that provides technical reasons for this aberrant behavior. It is easy enough to setup a scenario to duplicate this issue. Create a page on an unsecured server, say on blogger.com, with a link to make a payment with paypal. Setup a paypal sandbox so it doesn't cost you a thing. Paypal always uses secured URLs, even for its sandbox servers. You will see the same issue when you return from paypal as I do.

Modified by jodyCoolness

MonikerTaken 0 solutions 1 answers

I'm not very technical, but thought my answer could possibly help someone. I made sure my version of Firefox was up to date ( discovered this by accident)!, updated all of my Adobe Flash player settings, Adobe reader etc, and then reset my Firefox ( whilst still being able to keep my bookmarks and cookies) . https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems

I had this error message coming up ALL the time, even when innocently searching the web and now it's totally gone :)

P.S- I also made sure my internet security was updated .