Firefox 23 Will Block Insecure Content on HTTPS Pages by Default

http://news.softpedia.com/news/Fire...ontent-on-HTTPS-Pages-by-Default-344553.shtml

 

Great idea on paper. We'll see how it fares in the real world with real average Joe and Jane users that can't see many, many sites...

 

Yeah, It all depends on how well executed it is

Like you said, We'll see how it fares

 

The transition will be made smoother if more people test it and report problems to the websites that break. I would suggest going into about:config and setting BOTH:

security.mixed_content.block_display_content
security.mixed_content.block_active_content

to true. Visit your important sites first, then visit other sites.

 

I don't know why there is this sudden shift to blocking this and that from Mozilla, but if they don't watch their step they're going to end up with a browser that needs babysitting. I'm very happy they're taking security and privacy more seriously than they have been, but the problem is that the majority of the web doesn't. When you start blocking mixed content, 3rd party intrusion, plugins and all this other stuff, your users are inevitably going to take some pain when they come up against the crap coding and lazy security that makes up the biggest percentage of the Internet.

One can hope that users on these test builds file reports when issues are found, but so few users ever send reports that it isn't likely. Perhaps it'll all work out just fine. If it does, kudos to Mozilla for at least attempting to make the Firefox experience slightly more secure.

 

I'm going to apply this and see how it goes.

 

I expect this to cause more problems than it solves. The average user will move to another browser that "works" without the hassle since they won't understand what is going on anyway.

 

Yeah, I tend to agree...

 

Firefox readies tougher stance on cookies
• http://reviews.cnet.com/8301-3514_7-57578994/firefox-readies-tougher-stance-on-cookies/

FX 20.0.1 is now available on unofficial release sites, official release is scheduled for April 11.

 

I understand the gist of what you guys are saying but the majority of the web is still on HTTP so this change won't affect those. This change is to enforce a higher security level for those pages on HTTPS (as it's generally expected to be) so this is a move in the right direction. Like any change or transition, of course there will be problems with some sites but that does not mean we ought to do nothing just to avoid the problem. Mozilla has mentioned that it will not " block 'display content' like images, videos or audio" so you can expect the change to be even less painful for average users. Not to mention, it will be on Firefox 23 so there will be quite some time for them between now and then to sort things out before it's released as 'stable' for the masses.

 

Not sure what the concern about this is. Internet Explorer 9 and 10, at least, already do this. Google Chrome does it as well.

Has anyone ever heard of mad users of IE and Chrome?

I remember Chrome/Chromium used to provide a nice and clear alert about it, but now (for a long time) it just has a shield icon in the address bar. I prefered when they had the previous alert.

The problem is that some websites do have a lot of first party (yes, I meant first party!) content in HTTP, and they still provide an HTTPS version of the website, which is totally ... Why would they offer an HTTPS version in the first place?

 

But, what they're trying to achieve, block insecure content on HTTPS websites, will fail. So, why bother then? Either fully block insecure content, or just don't bother. All it takes is one insecure (HTTP) content to make an HTTPS website insecure (let's forget forged/stolen certicates lol).

 

To quote their own words "reduce the threat instead of eliminating the threat".

Full post here:
Mixed Content Blocking Enabled in Firefox 23!

 

Well, I guess we'll just have to wait and see!

 

In a way, it is average users who will benefit the most. Unlike advanced users who know how to interpret conditional warnings, inspect things, assess security/privacy issues, and use client side mechanisms to fix issues, average users need simple reliable indicators and configs.

FWIW, it appears that Firefox 23 is scheduled for release on August 6th, 2013. Roughly 4 months from now.

 

Is this what causes some sites to appear "unformatted?" Then if I go to the HTTP version, everything looks normal.

 

Could be. For example: security.mixed_content.block_active_content is enabled and the HTTPS page attempts to load a stylesheet (and/or script) via HTTP which gets blocked.

I don't know of a way to make Firefox display the HTTP requests that were actually blocked. Some other investigative techniques would be:

1) Disable mixed content blocking, run network sniffer, load HTTPS page, look for HTTP requests
2) Load HTTPS page, examine its source and that of other files
3) Disable mixed content blocking, load HTTPS page, look at Page Info->Media to identify *media* HTTP requests
4) Disable mixed content blocking, open the Web Console (CTRL-SHIFT-K), load HTTPS page, look for HTTP requests which will be shown in red.

Notes: Things like NoScript can affect the results. The pages served via HTTPS and HTTP *might* be different in other ways. Just because an HTTPS page attempts to load something via HTTP doesn't mean that the HTTP something is important and mixed content blocking would be problematic.