Contact us at |support@ssldragon.com

How Mixed Content Compromises Security

Thursday, November 17th, 2016

When browsing a website secured by an SSL Certificate, users expect that all the data on that website is safe.

What if just a part of that information on the website is secured? Some websites have an SSL Certificate installed, but not all their data is secured. The sign-in section of the website may be safe, while many of the scripts from the website may remain unsecured. If a website displays content (images, video, ads) from unsecured HTTP connections, that website is considered to have mixed content.

Types of mixed content

There are two types of mixed content: passive and active. While active is more dangerous, both types of content are a threat. We will explain to you how these two types of mixed content can affect your website’s security.

Passive mixed content

Passive mixed content means audio, image, and video files that are pulled from unsecured HTTP connections. These types of content can cause data breaches For example, your cookie information can be exposed. On a page with mixed content, the attacker can replace the audio, video, or image files with something else (e.g., malware). The attacker can lure users to other unsecure HTTP websites. The good news is that the attacker cannot cause damage to the whole website, but only on some pages or elements of a website.

Active mixed content

Active mixed content is more dangerous. It can affect not only images, audio, and video files, but the whole website. Active mixed content can break the scripts of a webpage and intercept communication. Luckily, browsers block active mixed content in most cases.

What can you do about this?

Here are a few things which you, as a website owner, can do to prevent mixed content.

  1. Encrypt all the webpages on your website. You should secure all your website resources over“HTTPS”.
  2. Use relative links on your website when requesting content stored on your server. Instead of using “yoursite.com/images/image1”, use “images/image1”.
  3. Third party content should use HTTPS when embedded. If you host the content on a server that you do not own, try mirroring the content on your own website to avoid the problem. Or ask the owner of the website where you are pulling content from to install an SSL Certificate, which will secure both, his/her website, and your website when you pull information from his/her website.

SSL Certificates are a very important layer of security on the Internet. However, the use of mixed content can compromise your website’s security easily. In the best case scenario of an attack, users will be invaded with inappropriate images or aggressive ads. In the worst case scenario, hackers will steal the information that a user enters on a website.

If your website is compromised by an attacker because of the mixed content the information about your users that may leak out, can damage your company’s reputation severely. That is why we recommend you implement these security measures on your website and to make sure that all your website’s content is secured by the SSL Certificate which you have installed on your website and server.

SSL Dragon is here to help you choose the SSL Certificate that will suit your online business best. You can check our full list of SSL Certificates here.