Mixed content blocking in Firefox

<!-- See https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/ and http://people.mozilla.com/~lco/ProjectSPF/Mixed_Content/Mixed_Content_Spec/Mixed%20Content%20Spec%20v4.pdf for more info --> When you visit a page served over HTTP, your connection is open for eavesdropping and man-in-the-middle (MITM) attacks. When you visit a page served over HTTPS, your connection with the web server is authenticated and encrypted with SSL and hence safeguarded from eavesdroppers and MITM attacks. However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The webpage that the user is visiting is only partially encrypted, since some of the content is retrieved unencrypted (in cleartext) over HTTP and hence accessible to sniffers and can be modified by MITM attackers. The Mixed Content Blocker blocks potentially harmful HTTP requests on HTTPS pages. ==What are the risks?== A man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also re-write the response to include malicious JavaScript code. Malicious script can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerable plugins the user has installed, for example). There is additional risk involved with Mixed Content when visiting a site that contains sensitive user data. If the website contains private data that is only visible when authenticated, mixed content on the page could read the user's data, steal a user's credentials and take over their account. If an HTTP webpage is public and doesn’t have any sensitive data, the use of Mixed Content on that site still provides the attacker with the opportunity to redirect requests to other HTTP URLs and steal HTTP cookies from those sites. For more information about Mixed Content, see https://developer.mozilla.org/en/Security/MixedContent.

When you visit a page served over HTTP, your connection is open for eavesdropping and man-in-the-middle (MITM) attacks. When you visit a page served over HTTPS, your connection with the web server is authenticated and encrypted with SSL and hence safeguarded from eavesdroppers and MITM attacks.

However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The webpage that the user is visiting is only partially encrypted, since some of the content is retrieved unencrypted (in cleartext) over HTTP and hence accessible to sniffers and can be modified by MITM attackers.

The Mixed Content Blocker blocks potentially harmful HTTP requests on HTTPS pages.

What are the risks?

A man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also re-write the response to include malicious JavaScript code. Malicious script can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerable plugins the user has installed, for example).

There is additional risk involved with Mixed Content when visiting a site that contains sensitive user data. If the website contains private data that is only visible when authenticated, mixed content on the page could read the user's data, steal a user's credentials and take over their account.

If an HTTP webpage is public and doesn’t have any sensitive data, the use of Mixed Content on that site still provides the attacker with the opportunity to redirect requests to other HTTP URLs and steal HTTP cookies from those sites.

For more information about Mixed Content, see https://developer.mozilla.org/en/Security/MixedContent.