Firefox 23 Will Block Insecure Content on HTTPS Pages by Default

Discussion in 'other software & services' started by Tyrizian, Apr 10, 2013.

Thread Status:
Not open for further replies.
  1. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    http://news.softpedia.com/news/Fire...ontent-on-HTTPS-Pages-by-Default-344553.shtml
     
  2. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Great idea on paper. We'll see how it fares in the real world with real average Joe and Jane users that can't see many, many sites...
     
  3. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    Yeah, It all depends on how well executed it is

    Like you said, We'll see how it fares
     
  4. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    The transition will be made smoother if more people test it and report problems to the websites that break. I would suggest going into about:config and setting BOTH:

    security.mixed_content.block_display_content
    security.mixed_content.block_active_content

    to true. Visit your important sites first, then visit other sites.
     
  5. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    I don't know why there is this sudden shift to blocking this and that from Mozilla, but if they don't watch their step they're going to end up with a browser that needs babysitting. I'm very happy they're taking security and privacy more seriously than they have been, but the problem is that the majority of the web doesn't. When you start blocking mixed content, 3rd party intrusion, plugins and all this other stuff, your users are inevitably going to take some pain when they come up against the crap coding and lazy security that makes up the biggest percentage of the Internet.

    One can hope that users on these test builds file reports when issues are found, but so few users ever send reports that it isn't likely. Perhaps it'll all work out just fine. If it does, kudos to Mozilla for at least attempting to make the Firefox experience slightly more secure.
     
  6. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    I'm going to apply this and see how it goes.
     
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    I expect this to cause more problems than it solves. The average user will move to another browser that "works" without the hassle since they won't understand what is going on anyway. :doubt:
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Yeah, I tend to agree...
     
  9. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  10. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    I understand the gist of what you guys are saying but the majority of the web is still on HTTP so this change won't affect those. This change is to enforce a higher security level for those pages on HTTPS (as it's generally expected to be) so this is a move in the right direction. Like any change or transition, of course there will be problems with some sites but that does not mean we ought to do nothing just to avoid the problem. Mozilla has mentioned that it will not " block 'display content' like images, videos or audio" so you can expect the change to be even less painful for average users. Not to mention, it will be on Firefox 23 so there will be quite some time for them between now and then to sort things out before it's released as 'stable' for the masses.
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not sure what the concern about this is. Internet Explorer 9 and 10, at least, already do this. Google Chrome does it as well.

    Has anyone ever heard of mad users of IE and Chrome? :D

    I remember Chrome/Chromium used to provide a nice and clear alert about it, but now (for a long time) it just has a shield icon in the address bar. I prefered when they had the previous alert.

    The problem is that some websites do have a lot of first party (yes, I meant first party!) content in HTTP, and they still provide an HTTPS version of the website, which is totally o_O o_O ... Why would they offer an HTTPS version in the first place? :argh:
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    But, what they're trying to achieve, block insecure content on HTTPS websites, will fail. So, why bother then? Either fully block insecure content, or just don't bother. All it takes is one insecure (HTTP) content to make an HTTPS website insecure (let's forget forged/stolen certicates lol).
     
  13. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    To quote their own words "reduce the threat instead of eliminating the threat".

    Full post here:
    Mixed Content Blocking Enabled in Firefox 23!
     
  14. encus

    encus Registered Member

    Joined:
    Nov 2, 2009
    Posts:
    535
    Well, I guess we'll just have to wait and see! :D
     
  15. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    In a way, it is average users who will benefit the most. Unlike advanced users who know how to interpret conditional warnings, inspect things, assess security/privacy issues, and use client side mechanisms to fix issues, average users need simple reliable indicators and configs.

    FWIW, it appears that Firefox 23 is scheduled for release on August 6th, 2013. Roughly 4 months from now.
     
    Last edited: Apr 11, 2013
  16. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    Is this what causes some sites to appear "unformatted?" Then if I go to the HTTP version, everything looks normal.
     
  17. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Could be. For example: security.mixed_content.block_active_content is enabled and the HTTPS page attempts to load a stylesheet (and/or script) via HTTP which gets blocked.

    I don't know of a way to make Firefox display the HTTP requests that were actually blocked. Some other investigative techniques would be:

    1) Disable mixed content blocking, run network sniffer, load HTTPS page, look for HTTP requests
    2) Load HTTPS page, examine its source and that of other files
    3) Disable mixed content blocking, load HTTPS page, look at Page Info->Media to identify *media* HTTP requests
    4) Disable mixed content blocking, open the Web Console (CTRL-SHIFT-K), load HTTPS page, look for HTTP requests which will be shown in red.

    Notes: Things like NoScript can affect the results. The pages served via HTTPS and HTTP *might* be different in other ways. Just because an HTTPS page attempts to load something via HTTP doesn't mean that the HTTP something is important and mixed content blocking would be problematic.
     
    Last edited: Apr 13, 2013
Loading...
Thread Status:
Not open for further replies.