Contact us at |

How Mixed Content Compromises Security

Thursday, November 17th, 2016

When browsing a website secured by an SSL Certificate, users expect that all the data on that website is safe.

What if just a part of that information on the website is secured? There are websites that have an SSL Certificate installed, but not all their data is secured. The sign in section of the website may be safe, while many of the scripts from the website may still remain unsecure. If a website displays content (images, video, ads) from unsecured HTTP connections, that website is considered to have mixed content.

Types of mixed content

There two types of mixed content: passive and active. While active is more dangerous, both types of content are a threat. We will explain you how these two types of mixed content can affect your website’ security.

Passive mixed content

Passive mixed content means audio, image and video files that are pulled from unsecured HTTP connections. These types of content can can cause leaks. For example, your cookie information can be exposed. On a page with mixed content, the attacker can replace the audio, video or image files with something else (e.g.: malware). The attacker can lure the users to other unsecure HTTP websites. The good news is that the attacker cannot cause damage on whole website, but only on some pages or elements of a website.

Active mixed content

Active mixed content is more dangerous. It can affect not only images, audio and video files, but the whole website. Active mixed content can break the scripts of a webpage and intercept communication. Luckily, browsers block active mixed content in most cases.

What can you do about this?

Here are a few things which you as a website owner can do to prevent your website to have mixed content.

  1. Encrypt all the webpages on your website. You should secure all your website resources over“HTTPS”.
  2. Use relative links on your website when requesting content stored on your server. Instead of using “”, use “images/image1”.
  3. Third party content should use HTTPS when embedded. If you host the content on a server which you do not own, try mirroring the content on your own website to avoid the problem. Or ask the owner of the website where you are pulling content from to install an SSL Certificate, which will secure both, his/her website, and your website when you pull information from his/her website.

SSL Certificates are a very important layer of security on the Internet. However, the use of mixed content can compromise your website’s security easily. In the best case scenario of an attack, users will be invaded with inappropriate images or aggressive ads. In the worst case scenario, hackers will steal the information that a user enters on a website.

If your website is compromised by an attacker because your website’s  content is mixed, the information about your users that may leak out, can damage your company’s reputation severely. That is why we recommend you to implement these security measures on your website, and to make sure that all your website’s content is secured by the SSL Certificate which you have installed on your website and server.

SSL Dragon is here to help you choose the SSL Certificate that will suit your online business best. You can our full list of SSL Certificates here.