Non-Secure Content on Secure Web Pages

An Internet Security Risk that Browsers Should Always Warn Users About

September 3, 2004

Did you know that some amateur, and possibly incompetent web developers out there claim that it is "the standard" to build pages served over ssl where all the graphics and other media pieces are on a non-ssl server and are included in the page insecurely?

Standard, like the warning, "this web page contains both secure and insecure items?" standard? Elliot Schlegelmilch

Of course, the "professionals" making this claim supposedly can't get this "error" (read "warning") to show up in IE, only in what they refer to as "bad" browsers, like Netscape and Opera, which they "don't really support anyhow"...

Paypal has images on an ssl server. Have them set up an image server, quite a few sites do it. Have it talk both https and http for only images and media files.
Why are they not wanting to do that? server load? Elliot Schlegelmilch

Supposedly the problem is transfer time - the encoded images are 'too big' and the encoded flash is 'too big and too prone to getting corrupted' when sent ssl.

This brings up one of the things I would like to have in the ideal browser (and one of the things I would like to rate browsers on if I ever had copious spare time) would be to have the default setting not to display pages with mixed content, then being able to change the configuration so that it give you a warning and then if you say it is OK, only display the secure parts of the pages in question. Then maybe having a setting (that would warn you if you tried to use it) that would allow you to choose to display secure and insecure portions of a page after getting a warning about the mixed content...