Orange exclamation point over padlock does NOT go away even after setting Security:mixed_content_blocked on about:config. How do I make this go away????
When I access my Comcast email via web mail, my HTTPS session with a lovely green padlock shows the orange exclamation point over the padlock when I preview emails with mixed content. I've spent hours with Comcast help desk and they say it is a browser issue (this also happens in Chrome). I've gone through the Help articles and set Security:mixed_content.block_display_content to TRUE; I've looked at the web console and seen that the images are HTTP. This did NOT use to happen. How vulnerable am I? How do I make this stop?!
I also noticed it when I was LOGGED ON to Amazon. The product pages are filled with HTTP images. If I click on one of these, is my user info transmitted?
None of the articles I've seen tell me how to stop this - other than the about:config article - and that fix doesn't stop this. Please help!
Tất cả các câu trả lời (11)
If mixed "display" content is blocked (security.mixed_content.block_display_content customized to true), the lock should stay green and the images should be missing. However, Firefox may be using previously cached content, so in order to see a change, you may need to clear that. You can find the steps in this article:
How to clear the Firefox cache
If you have a large hard drive, this might take a few minutes. If you do not see the number going down on the page, you can reload it using Ctrl+r to check progress.
A normal image is not a security threat, whether it is retrieved on an open connection or an encrypted connection. (Sometimes bugs are found where an image can crash the browser and run dangerous code, but you would have noticed that!)
The potential danger with HTTP images on an HTTPS site is when Firefox requests an image, it sends the source server any cookies it previously set that are not restricted to HTTPS connections. If that is the same server as the one on which you are currently active, and if those cookies are intercepted -- most likely on a public wi-fi hotspot, far less likely at home -- the interceptor could possibly try to join your session by going to the site home page and simulating your browser by submitting your cookies.
A well designed web application would recognize the hijacking attempt and terminate the session immediately, forcing you to log in again and get a fresh set of session cookies. That's what you would want to hear would happen in that scenario.
I think Amazon is pretty good about security; I don't know about Comcast.
Thank you so much for the detailed reply, especially about the security implications. I should have stated that I'd cleared my cache after changing the about:config setting. That didn't stop the orange exclamation point. I am on my home WiFi (secure).
I would love to know what changed. When I use gmail, and view the same email as on Comcast, I do not see the exclamation point. Do you think that both Comcast and Amazon have recently changed their servers or web apps to allow the HTTP content on an HTTPS connection? That seems unlikely to me.
I don't mean to seem ungrateful! I really appreciate your response!
It is strange that the identical email message displays differently on Gmail and on Comcast. Either the sender used HTTP links or it used HTTPS links in the message; the platform shouldn't matter. Unless Google is somehow proxying the image through its own servers to bypass a mixed content problem. If you right-click the image and View Image Info on each site, you should be able to see whether it's pulling from the same source.
Firefox also uses the warning triangle to indicate a weakly encrypted connection. The little panel that appears when you click the lock icon may have a statement to that effect, or the Security tab of the Page Info dialog may have a note at the bottom about that, if that is the problem.
It's definitely "weak encryption". I attached a couple of screen shots. I should also noted that I deleted my cert8.db file and Firefox recreated that (seemingly without issue).
Since my reboot, I no longer see the orange exclamation point on Amazon, so I must have seen that before I changed the about:config.
Now it just appears to be Comcast (so this is THEIR fault!).
Do you see anything that would indicate otherwise? Thank you SO MUCH!
If you check the Page Info dialog, Security panel, at the bottom usually there is a description of the connection you have with the site and there may also be a critique there about why it is weak.
I wish this were easier to access. I used to suggest using Chrome for diagnosis because it had a long security panel that dropped down from the lock. However, they now moved theirs into the developer tools so it's similarly painful to research.
I can't load connect.xfinity.com without a Comcast login, but when I cross-check on this diagnostic site, there's no indication of bad security practices with the site: https://www.ssllabs.com/ssltest/analyze.html?d=connect.xfinity.com
Could you check to see whether there might be an intermediary in your connection to the site? That often is indicated by a suspicious certificate issuer. You can view the certificate information through the Page Info dialog, Security panel. Either:
- right-click (on Mac Ctrl+click) a blank area of the page and choose View Page Info > Security > "View Certificate"
- (menu bar) Tools > Page Info > Security > "View Certificate"
- click the padlock or "i" icon in the address bar, then the ">" button, then More Information, and finally the "View Certificate" button
It looks like the "Issued by" section "Common name (CN)" should be:
COMODO RSA Organization Validation Secure Server CA
And the period of validity should be April 7, 2016 through April 7, 2018.
Does yours show that?
I saw your email while I was out and couldn't wait to get home to check it out. Emails that do NOT cause the orange exclamation point have the valid certificate that you note above (screen shot "GoodComcastCert" - 2nd image). However, the emails with web content that DO cause the orange exclamation point say that the certificate has not been verified. See the screen shots.
Why would Comcast not verify their certificate?
Hmm, that "not verified" message doesn't really make sense to me, when the certificate looks good when you inspect it. I don't know why you get inconsistent results.
I truly appreciate your help and responsiveness. If it doesn't bug you, I would like to leave this one open to see if anyone else can make sense of this.
I feel another marathon call with Comcast's Help Desk coming on.
Thank you so much for all your input.
You didn't show the certificate details, so we can't see if there is a difference in the certificate chain.
You can try to rename the cert8.db file in the profile folder temporarily in case a different mirror is used or an older intermediate certificate (DV instead of EV).
I don't think however that this would make a difference since in both cases Page Info shows the same connection details. If a weak connection would be used then you should see this reflected there I think.
I see that you have Tracking Protection active (enabled). I also see an error message about IndexedDB in one of the screenshots. What is the dom.indexedDB.enabled setting on about:config? If you block cookies from specific domains then this also affects other storage types like IndexedDB and local storage.
dom.indexedDB.enabled is set to TRUE. I attached a screenshot of the Tracking Protection settings from about:config.
I tried to get some certificate details for you this morning but the problem seems to have mysteriously resolved itself today. I accessed the exact same emails with web content and got NO orange exclamation point.
The only possible explanation for this was that Comcast changed something. I'm glad it's gone but what a PITA!!!
Thank you so much for your help!