Shulou(Shulou.com)06/02 Report--

What is HTTPS mixed content

We may have the experience that when we visit a website through HTTPS, there is a sudden prompt: "this page contains unsafe content." At this time, you will be asked if "unsafe content" is displayed, and at this time, you will encounter a page with mixed content.

Pages under HTTPS rarely use a single connection, and HTML logos, images, JS scripts, and other page resources are not only obtained by multiple connections, but may even come from completely different servers and websites. In order to ensure that a page is encrypted correctly, it is necessary that all page resources are accessed through HTTPS. But in practice, it is not common for all resources to use HTTPS, which is the result of mixed content (mixed content) security problems.

Reasons for mixed content

Programmers some programmers are still based on HTTP programming habits, resulting in lax code. The most common way is to use an absolute path to access resources on the site, which may be correct in HTTP mode, but once these pages are required to switch to HTTPS, these elements are likely to be called through HTTP, resulting in errors.

Mashup

With the development of Mashup, websites no longer provide all the content themselves, they mix with the content of other sites, and the source of the content is hidden. While Mashup is very useful to developers, it also makes our HTTPS unpredictable.

Mashup is mainly achieved by loading third-party JavaScript code on the page. In the context of HTTPS encryption, third-party content and services often do not support HTTPS encryption. A few years ago, many services of Baidu and Goolge did not support HTTPS. In the last 2 or 3 years, they only began to support the whole network SSL, but some small service providers still can not support HTTPS.

CDN

CDN sets up a large number of servers around the world, which can choose the optimal network access location by judging the user's access to the IP address, and provide a large number of (mainly static) data files for users. Usually, it is expensive for CDN to support users to access content through HTTPS, because CDN usually uses BDNS's domain name resolution technology, which assigns different hostnames to different distribution sites of a website around the world, so we often have to use Wildcard wildcard certificate or even Wildcard San certificate to support it. At the same time, because the compatibility of SNI is not perfect, each distribution point had better specify its own independent IP address. This also leads to the complexity and cost of operation and maintenance.

The influence of mixed content is mainly determined by the nature of content that is not encrypted. At present, there are mainly two kinds of content:

Mixed passive content (Mixed passive content), mixed active content (Mixed active conttent). The former is also called hybrid display (Mixed Display), and they are low-risk content, such as images, while the latter is also called hybrid script (Mixed Scripting), which is high-risk content, commonly known as JavaScript scripts.

Mixed active content is the real source of the threat. A reference to an unencrypted JavaScript file may be hijacked by an active attacker to gain full control of the page and has used the victim's identity to perform arbitrary actions on the site. The same is true for other dangerous resource types, including HTML (Framework), CSS, FLASH, and JAVA applications.

Mixing passive content is not so dangerous, but it can still destroy the integrity of the page. In some cases, attackers can play with the victim by inserting information into the picture, which may lead to phishing attacks.

The processing of the browser

Android browser

Android's browsers have no restrictions on mixed content.

Chrome

Starting with version 38, Chrome blocks all mixed active content.

Firefox

Firefox has been able to detect and warn against mixed content for a long time, but after version 23, it began to block all mixed active content.

IE

IE has supported the detection of mixed content since IE5 (1999). When IE detects encrypted and plaintext content on the same page, it will prompt the user to decide what to do. However, it was not until after IE9 that we began to block the mixed active content and acquiesced in the mixed passive content.

Safri

Safri currently does not block any mixed content, which is a big difference from other browsers.

Images

CSS

Scripts

XHR

Websockets

FramesAndroid Brower 4.4

YY

Y

Y

Y

Y

Chrome 41YN

N

N

N

N

Firefox 30

YN

N

N

N

N

IE 11YN

N

N

N

N

Safari

Y

Y

Y

Y

Y

Y

Find mixed content

To find out whether there is mixed content on the web page, it is recommended to use Chrome's developer tool:

Visit the web page that needs to be tested, then open the developer tool, select "Security"-"Non-Secure Origin", and you can see Mixed Content:

Solution.

Check the code

For new website development, when building a test environment, it is recommended to deploy HTTPS directly in the test environment to ensure that mixed content problems can be found and corrected in time during testing.

Programmers can develop code in the following ways:

Local images and scripts are called directly through HTTP display. You can retrieve all elements called through the http:// absolute path and use the local relative path instead. Visited some pictures and scripts from the external network. For example, a website www.domain.com, put the picture on another site img.domain.com, visit the script on js.domain.com, deploy HTTPS on each site, and then adjust the reference method of the original http:// to / /. For example, the original code

Modify to

. After adjustment, the browser will automatically select http or https to access public network resources. If you need to use the application services provided by third-party systems, please seek a service provider that supports HTTPS. At present, Baidu and Google already support HTTPS of the whole network, and formal application services will begin to support HTTPS. HTST

HTST is a mechanism that forces browsers to access secure resources, even in the face of user errors (such as users accessing your site through port 80) and implementation errors (website developers add unsafe elements to HTTPS pages). This feature effectively eliminates the problem of mixed content, but only works under domain names that you can control.

HTST is required to jump through 301. Here is only a brief introduction to IIS:

First, configure a HTTP site and a HTTPS site on the site, and select HTTP redirection:

The status code is set to permanent (301). Redirect to a HTTPS site with the same domain name.

We will introduce the detailed use of HTST in a separate article.

CSP

In order to block unsafe resources obtained from third-party websites, you can use secure content Policy (Content Security Policy,CSP). This security feature can block unsafe resources. It also has many other useful features to deal with application layer security issues.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.