Firefox 23 and Mixed Active Content

Firefox 23 and Mixed Active Content
One of the security relevant features that arrived in the latest version of Firefox was the blocking of mixed active content. In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page. The javascript could now be manipulated by someone playing man in the middle. The modified javascript can then in turn alter the HTML page that loaded it. After all we are using the HTML to load the javascript, so we will not have any "origin" issues. Firefox 23 refined how it deals with "mixed ACTIVE content". If an HTML page that was loaded via HTTPS includes active content, like javascript, via HTTP, then Firefox will block the execution of the active content. I setup a quick test page to allow you to compare browsers. The first page https://isc.sans.edu/mixed.html just includes two images. One is loaded via https and one via http. The second page, https://isc.sans.edu/mixed2.html does include some javascript as well. If the javascript executes, then you should see the string "The javascript executed" under the respective lock image. For more details, see Mozilla's page about this feature: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/ ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Defense Initiative 2020	Johannes 4006 Posts ISC Handler Aug 7th 2013
Thread locked Subscribe	Aug 7th 2013 7 years ago
Didn't you mean to say: "see MOZILLA's page about this feature" ?	Anonymous
Quote	Aug 7th 2013 7 years ago
Hmm, I wonder if this will force some of the three-letter-security-vendors to fix their "Enterprise" consoles that server mixed content...	Paul 44 Posts
Quote	Aug 8th 2013 7 years ago
Sorry about the typo. I fixed it and it now says "Mozilla", not "Google". Paul: They will just require that you use a browser other then Firefox.	Johannes 4006 Posts ISC Handler
Quote	Aug 8th 2013 7 years ago
Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page.[/quote] Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops! patermann	patermann 35 Posts
Quote	Aug 8th 2013 7 years ago
Quoting patermann: Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page. Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops! patermann Good eye you have there! The issue is actually already on our shortlist. The reason we don't just "hotfix" this is because we're in the process of de-Googling ISC, in terms of analytics, search and translation. Thanks for your support, and patience!	Alex Stanford 136 Posts
Quote	Aug 8th 2013 7 years ago
I must be doing something wrong I'm using Firefox 23.0 (on windows 7 64 bit), with RequestPolicy and NoScript plugins, yet I still get the "The Javascript executed" message when visiting https://isc.sans.edu/mixed2.html Both requestpolicy and noscript are set to "allow" sans.edu. (I also am seeing only 6 of the 17 comments to this diary post...)	Alex Stanford 2 Posts
Quote	Aug 8th 2013 7 years ago
Quoting comment#26965: Quoting Alex Stanford: Quoting patermann: Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page.[/quote] Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops! patermann[/quote] Good eye you have there! The issue is actually already on our shortlist. The reason we don't just "hotfix" this is because we're in the process of de-Googling ISC, in terms of analytics, search and translation. Thanks for your support, and patience![/quote] quote test[/quote] quote test 2	jullrichdshield.org 5 Posts
Quote	Aug 8th 2013 7 years ago
Quoting Alex Stanford: Quoting patermann: Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page.[/quote] Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops! patermann[/quote] Good eye you have there! The issue is actually already on our shortlist. The reason we don't just "hotfix" this is because we're in the process of de-Googling ISC, in terms of analytics, search and translation. Thanks for your support, and patience![/quote] qutoe	jullrichdshield.org 5 Posts
Quote	Aug 8th 2013 7 years ago
Quoting Alex Stanford: Quoting patermann: Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page.[/quote] Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops! patermann[/quote] Good eye you have there! The issue is actually already on our shortlist. The reason we don't just "hotfix" this is because we're in the process of de-Googling ISC, in terms of analytics, search and translation. Thanks for your support, and patience![/quote] quote quote	jullrichdshield.org 5 Posts
Quote	Aug 8th 2013 7 years ago
Quoting Alex Stanford: Quoting patermann: Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page.[/quote] Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops! patermann[/quote] Good eye you have there! The issue is actually already on our shortlist. The reason we don't just "hotfix" this is because we're in the process of de-Googling ISC, in terms of analytics, search and translation. Thanks for your support, and patience![/quote] testing message count	jullrichdshield.org 5 Posts
Quote	Aug 8th 2013 7 years ago
Quoting jullrichdshield.org: Quoting Alex Stanford: Quoting patermann: Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page.[/quote] Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops! patermann[/quote] Good eye you have there! The issue is actually already on our shortlist. The reason we don't just "hotfix" this is because we're in the process of de-Googling ISC, in terms of analytics, search and translation. Thanks for your support, and patience![/quote] testing message count[/quote] test	Alex Stanford 136 Posts
Quote	Aug 8th 2013 7 years ago

One of the security relevant features that arrived in the latest version of Firefox was the blocking of mixed active content. In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page. The javascript could now be manipulated by someone playing man in the middle. The modified javascript can then in turn alter the HTML page that loaded it. After all we are using the HTML to load the javascript, so we will not have any "origin" issues.

Firefox 23 refined how it deals with "mixed ACTIVE content". If an HTML page that was loaded via HTTPS includes active content, like javascript, via HTTP, then Firefox will block the execution of the active content.

I setup a quick test page to allow you to compare browsers. The first page https://isc.sans.edu/mixed.html just includes two images. One is loaded via https and one via http. The second page, https://isc.sans.edu/mixed2.html does include some javascript as well. If the javascript executes, then you should see the string "The javascript executed" under the respective lock image.

For more details, see Mozilla's page about this feature:

https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Defense Initiative 2020

Johannes

4006 Posts
ISC Handler

Aug 7th 2013

Didn't you mean to say: "see MOZILLA's page about this feature" ?

Anonymous

Hmm, I wonder if this will force some of the three-letter-security-vendors to fix their "Enterprise" consoles that server mixed content...

Paul

44 Posts

Sorry about the typo. I fixed it and it now says "Mozilla", not "Google".

Paul: They will just require that you use a browser other then Firefox.

Johannes

4006 Posts
ISC Handler

Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page.[/quote]

Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops!

patermann

patermann

35 Posts

Quoting patermann:
Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page.

Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops!

patermann

Good eye you have there! The issue is actually already on our shortlist. The reason we don't just "hotfix" this is because we're in the process of de-Googling ISC, in terms of analytics, search and translation.

Thanks for your support, and patience!

Alex Stanford

136 Posts

I must be doing something wrong :-(

I'm using Firefox 23.0 (on windows 7 64 bit), with RequestPolicy and NoScript plugins,
yet I still get the "The Javascript executed" message when visiting
https://isc.sans.edu/mixed2.html
Both requestpolicy and noscript are set to "allow" sans.edu.

(I also am seeing only 6 of the 17 comments to this diary post...)

Alex Stanford
2 Posts

Quoting comment#26965:
Quoting Alex Stanford:
Quoting patermann:
Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page.[/quote]

Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops!

patermann[/quote]
Good eye you have there! The issue is actually already on our shortlist. The reason we don't just "hotfix" this is because we're in the process of de-Googling ISC, in terms of analytics, search and translation.

Thanks for your support, and patience![/quote]

quote test[/quote]

quote test 2

jullrichdshield.org

5 Posts

Quoting Alex Stanford:
Quoting patermann:
Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page.[/quote]

Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops!

patermann[/quote]
Good eye you have there! The issue is actually already on our shortlist. The reason we don't just "hotfix" this is because we're in the process of de-Googling ISC, in terms of analytics, search and translation.

Thanks for your support, and patience![/quote]

qutoe

jullrichdshield.org

5 Posts

Quoting Alex Stanford:
Quoting patermann:
Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page.[/quote]

Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops!

patermann[/quote]
Good eye you have there! The issue is actually already on our shortlist. The reason we don't just "hotfix" this is because we're in the process of de-Googling ISC, in terms of analytics, search and translation.

Thanks for your support, and patience![/quote]
quote quote

jullrichdshield.org

5 Posts

Quoting Alex Stanford:
Quoting patermann:
Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page.[/quote]

Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops!

patermann[/quote]
Good eye you have there! The issue is actually already on our shortlist. The reason we don't just "hotfix" this is because we're in the process of de-Googling ISC, in terms of analytics, search and translation.

Thanks for your support, and patience![/quote]

testing message count

jullrichdshield.org

5 Posts

Quoting jullrichdshield.org:
Quoting Alex Stanford:
Quoting patermann:
Quoting Diary: In the past, you may have seen popups warnings in your browser alerting you of "mixed content". This refers to pages that mix and match SSL and non SSL content. While this is not a good idea even for passive content like images, the real problem is active content like script. For example, a page may download javascript via HTTP but include it in an HTTPS page.[/quote]

Oh the irony! The ISC diary pages are HTTPS but load a GIF image, a CSS file and a Javascript file from translate.googleapis.com as HTTP - i.e. "mixed active content". Oops!

patermann[/quote]
Good eye you have there! The issue is actually already on our shortlist. The reason we don't just "hotfix" this is because we're in the process of de-Googling ISC, in terms of analytics, search and translation.

Thanks for your support, and patience![/quote]

testing message count[/quote]
test

Alex Stanford

136 Posts