The significant increase in the last years of those who use the Internet, has automatically led to a greater interest from the badly intentioned people, to exploit this virtual environment. There are hundreds of thousands daily computer attacks globally, and the attackers do not consider whether the targets are public institutions, military, companies or simple Internet users. Any information, from the data of a bank card to a social network account or personal documents, can be used.
In the case of simple users (home users), most PCs are infected negligence them. Either opened in virus message received by email, a hack application or have accessed unsecured web pages.
Since the end of 2017, Firefox it started to warn users when accessing a page HTTP. Chrome came with a update almost similar, and Google has repeatedly urged webmasters (web site creators) to switch to the protocol HTTPS.
http, HTTPS and Mixed Content
Currently, when you access a web page, there are two types of connection between your PC and the host server of the accessed web page. These connections can be HTTPS or HTTP. connection HTTPS requires a certificate SSL for which the host server is responsible, and the connection between the PC and the server is secured / encrypted. Thus, the confidential data of the user and the integrity of the operating system are protected when interacting with the accessed web page. Identify these secure websites very easily, if you look up at the address bar and see a padlock next to the web address.
When accessing a web page with HTTP, data transfer, content, between your PC and the host server will become unsecured and third party interactions may occur. Google Chrome currently warns users with "Not Secure”In front of the insecure web address.
Besides HTTP and HTTPS there is a third type of content. “Mixed Content".
What is mixed content and what are the risks of accessing a mixed content page?
"Mixed Content”Is when a web page has a secure protocol HTTPS, but the content contains third-party elements from an insecure source, HTTP. These elements can be images, Java scripts, CSS or even authentication sessions. Through these insecure elements, attackers can take full control of the web page. Including the other elements, which come from a reliable source, HTTPS.
Unsecured sources from a web page with HTTPS can be easily identified from the source code of the page. It is enough to use a "find" with "http://”To identify these sources.
Everything “mixed content”Is also considered if an HTTP web address, hosts sources (image, audio, video, iframe, java script, CSS, etc) HTTPS. This page will not be considered secure either, and Google Chrome will notify users of this. Moreover, starting with January 2020, this warning will be more aggressive, and the owners of the web pages that do not comply to eliminate the mixed content, risk losing organic traffic. Google Chrome currently blocks scripts and iframes from mixed content, but these limitations will extend to media content. Images, video and audio.
Firefox has long integrated a warning system when accessing mixed content. The lock with the exclamation mark tells us that the web address is HTTPS, contains NON-HTTPS which may affect users.
"Part of these pages are not secure (such as images)".
"Mixed Content"And"NOT-HTTPS"They don't have to be scared. It does not mean that if you access a web page no encrypted connection, immediately follow you if personal data is stolen. You are really exposed to these risks when you access an HTTP web page on a public WiFi network. WiFi networks in malls, parks, airports, restaurants or other public locations with internet access. It is not at all recommended to shop online or access sensitive accounts on these public networks. A public WiFi network in combination with a non-public web addressHTTPS, can be a major issue for your data.
Those who want to move a blog from HTTP to HTTPS and get rid of "Mixed Content", I can follow this tutorial: How to move a blog or website WordPress from HTTP on HTTPS.
