The significant increase in the last years of those who use the Internet, has automatically led to a greater interest from the badly intentioned people, to exploit this virtual environment. There are hundreds of thousands daily computer attacks globally, and the attackers do not consider whether the targets are public institutions, military, companies or simple Internet users. Any information, from the data of a bank card to a social network account or personal documents, can be used.
In the case of simple users (home users), most PCs are infected negligence them. Either opened in virus message received by email, a hack application or have accessed unsecured web pages.
Since the end of 2017, Firefox it started to warn users when accessing a page HTTP. Chrome came up with an almost similar update, and Google repeatedly urged webmasters (web site creators) to switch to protocol HTTPS.
HTTP, HTTPS and Mixed Content
Currently, when you access a web page, there are two types of connection between your PC and the host server of the accessed web page. These connections can be HTTPS or HTTP. The HTTPS connection requires an SSL certificate to which the host server is responsible, and the connection between the PC and the server is secured / encrypted. Thus, the confidential data of the user and the integrity of the operating system are protected when interacting with the accessed web page. Identify these secure websites very simply, if you look up the address bar and see a lock next to the web address.
When accessing a web page with HTTP, data transfer, content, between your PC and the host server will become unsecured and third party interactions may occur. Google Chrome currently warns users with "Not Secure”In front of the insecure web address.
In addition to HTTP and HTTPS there is a third type of content. "Mixed Content".
What is mixed content and what are the risks of accessing a mixed content page?
"Mixed Content”Is when a web page has HTTPS secure protocol, but in the content are third elements coming from an insecure source, HTTP. These elements can be images, Java scripts, CSS or even authentication sessions. Through these unsecured elements, attackers can take full control of the web page. Including the other elements, which come from secure source, HTTPS.
Unsecured sources on a web page with HTTPS can be easily identified from the source code of the page. It is enough to use a "find" with "http://”To identify these sources.
Everything “mixed content”Is also considered if an HTTP web address hosts hosting (image, audio, video, iframe, java script, CSS, etc.) HTTPS. This page will not be considered secure either, and Google Chrome will notify users of this. Moreover, starting with January 2020, this warning will be more aggressive, and the owners of the web pages that do not comply to eliminate the mixed content, risk losing organic traffic. Google Chrome currently blocks scripts and iframes from mixed content, but these limitations will extend to media content. Images, video and audio.
Firefox has long integrated a warning system when accessing mixed content. The lock with the exclamation mark tells us that although the web address is HTTPS, it contains NON-HTTPS elements that can affect users.
“Part of this pages are not secure (such as images)”.
"Mixed Content"And"NON-HTTPS"They don't have to be scared. It does not mean that if you access a web page no encrypted connection, immediately follow you if personal data is stolen. You face real risks when you access an HTTP web page from a public WiFi network. WiFi networks in malls, parks, airports, restaurants or other public places with internet access. It is not advisable to shop online or access sensitive accounts on these public networks. A public WiFi network in combination with a non-HTTPS web address can be a major issue for your data.
Those who want to move a blog from HTTP to HTTPS and get rid of "Mixed Content", can follow this tutorial: How to move a blog or WordPress website from HTTP to HTTPS.