
Firefox 23 will block non-SSL content on SSL pages by default - simonster
https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_23#Non-SSL_contents_on_SSL_pages_are_blocked_by_default
======
overshard
In other words, start using the `//url.to/something-here/` shortcut and the
world will be a better place.

EDIT: Use `//` instead of `<http://`> or `<https://`> and it will use whatever
the protocol of the page being fetched is using.

EDIT 2: Double check when you use the `//` shortcut that the website you are
linking to supports HTTPS, some still don't and they don't redirect
properly...

~~~
dudus
IE7 and IE8 will download stylesheets that use protocol relative urls twice.

[http://stackoverflow.com/questions/4831741/can-i-change-
all-...](http://stackoverflow.com/questions/4831741/can-i-change-all-my-http-
links-to-just)

~~~
somesay
You really care about that? Well, relative URLs (and maybe using a basename
meta tag) might be a workaround. But seriously, I wouldn't care about these
Microsoft's bugs.

------
buro9
To anyone now panicing about user generated content and non-SSL images, and
thinking "What I need is some kind of SSL proxy for user generated images"...

Node based SSL proxy: <https://github.com/atmos/camo>

And I whipped one up in PHP for some old PHP site that I worked on if anyone
wants to see that. I shoved that behind Nginx so that I also get a file cache
for the most requested files.

For my project I purchased an extra SSL domain name ( <https://sslcache.se> ),
as I had some concern about serving user generated content on my primary
domain. Concerns which are valid, as github.com recently acknowledged by
moving their UGC pages to github.io .

~~~
calebegg
As far as I can tell, this change doesn't apply to images, and probably
shouldn't apply to user-generated content (i.e., you shouldn't be letting
users write/embed arbitrary CSS, JS, plugins, fonts, frames, etc...)

~~~
buro9
I had read the link, and whilst it doesn't mention images as being included in
the change it also doesn't mention images as being excluded, and does imply
that all mixed content is blocked. It was my assumption given those conditions
that it included images.

And there are many scenarios in which you do want to allow user generated
content to include JS, off the top of my head Google Maps does so to allow
user maps to be extensible. The issue is how such content is managed safely,
and enabling SSL and putting the content on another domain is a good thing.
Google do the right thing and serve such content over SSL and via an iframe on
a totally different domain (
<http://whois.domaintools.com/googleusercontent.com> ).

------
filereaper
Does Firefox 23 have support for TLSv1.2?

Please fix NSS and support TLSv1.2

As of now only IE and Opera are the ones which I'm aware of that support
TLSv1.2.

There is a vulnerability for BEAST against SSL 3.0/TLSv1.0

With more widespread use of HTTPS which isn't a bad thing, it would help that
all browsers support the latest security recommendations.

[https://blogs.akamai.com/2012/05/what-you-need-to-know-
about...](https://blogs.akamai.com/2012/05/what-you-need-to-know-about-
beast.html)

~~~
ctz
There's no point implementing TLS1.2 until browsers stop silently downgrading
through TLS versions under attacker control.

And there's not much prospect of that happening: it seems we're happy to
exchange compatibility with less than 1% of sites for security of 100%.

~~~
peterwwillis
From what i've read, it looks like the server advertises all the TLS it
supports, the client picks the highest version, but then an attacker sends an
RST and the client goes to the next version in the list. Is that accurate?
(The only other downgrade attack I saw was on False Start which has since been
disabled in Chrome)

Could (or should) they support an option in the browser to require only the
highest possible version of a protocol? Or is there some other fix required to
mitigate the attack?

------
nachteilig
This doesn't mention images specifically -- anyone have insight into how that
will work? I'm assuming they're not "active" content.

Even Google's image search displays insecure images, so I'd hope they get a
pass.

~~~
simonster
It looks like images get loaded. However, CSS doesn't, which breaks a lot of
sites (e.g. <https://www.nytimes.com/>).

This is in the latest Firefox Nightly build, and available as a pref in older
Firefox versions, so you can play with it too.

~~~
nthitz
Just visited secure NYT link on Chrome 26 and none of the CSS and few images
loaded there either. Console reports loads of [blocked] insecure content.

~~~
iaskwhy
So that explains why some sites were looking unstyled. Github had the same
problem some days ago.

------
collinjackson
Note that both Chrome and IE have been blocking this for some time now. IE did
it first.

~~~
brownbat
IE took a lead move in favor of security, kudos to them.

It seems like Chrome really forced the ecosystem to move towards auto-updates
and sandboxing. Each of those have transition impacts for developers and
publishers.

Mixed content though, I've got to imagine that's a hard area for Google to
lead on, since its transition challenges primarily affect ad integration.

This follows on the heels of the "disable third party cookies by default" row.
I'm wondering if a) Google's business interests will prevent them from being a
first mover on security and privacy in browser development, and b) if other
browsers will start exploring these issues just to force Chrome to make hard
choices.

------
hexis
I wonder if this will help push Google to start serving AdSense over SSL?

------
AdamGibbins
Chrome has been doing this a fair while now, not very well in my opinion
either - the option to enable secure content is hidden away in a tiny silver
shield at the right of the URL bar.

~~~
gmurphy
The visibility of the shield was designed to be proportional to the number of
people who care/should care about it.

------
jrochkind1
I believe this has been default on IE (and maybe even Chrome?) for quite some
time.

------
derefr
It's fun looking at unintended tack-on effects of decisions like this.

For example, requiring SSL for all assets served on SSL pages is going to make
the profits of CloudFlare, and other CDN providers with their same business
model, spike precipitously. You have to have a paying plan ($20/mo to start)
to get SSL CDNing support, which basically means CloudFlare's free plan is now
useless to anyone who enforces HSTS.

~~~
dan_manges
I would expect most companies serving pages over SSL to already be serving
assets over SSL to avoid the mixed content warnings that most browsers
currently give when loading non-SSL assets on an SSL page.

------
jscheel
Browsers blocking insecure content has been a challenge for us. Users can add
embeds into their pages, unfortunately, no two embeds are alike. There are way
too many services that don't offer secure versions of their embeds, and on top
of that, several implement secure vs insecure embeds differently.

------
Karunamon
Can you click a button in the notice to override the error and display the
content anyways?

If not, this is going to be a _colossal_ pain in the ass.

~~~
kbrosnan
Yes the current implementation works similar to click to play plugins. A
shield icon shows up in the address bar as well as a notice that the domain
has <http://> content. (in more user friendly terms) Examples of the click to
play UI at [https://blog.mozilla.org/security/2012/10/11/click-to-
play-p...](https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-
blocklist-style/)

------
mehrzad
Yep, I use FF Nightly and Pocket's bookmarklet, noticed that the bookmarklet
broke in this new version, and notified Pocket Support.

------
pronoiac
Would Google Reader get an exception, or is this Firefox version being
released after that shuts down?

~~~
Skalman
Firefox 23 will be released on August 6 [1], while Reader closes on July 1
[2].

[1] <https://en.wikipedia.org/wiki/History_of_Firefox#Version_23>

[2] <https://en.wikipedia.org/wiki/Google_Reader>

------
jastanton
its been a while since I made a Facebook App but I am pretty sure last time I
checked you can made an app on a non-SSL domain and it will be iframed into
the secure page, which in FF23 will break, so some apps may not work anymore.
just saying.

~~~
babuskov
If you access the app using https-ed Facebook, i.e. via
<https://apps.facebook.com/appname>, it would use <https://> for the iframe as
well. So, no problems there (at least no new ones that did not already exist).

------
smackfu
Do the affected pages currently show a warning in Firefox 22?

~~~
cpeterso
Firefox 22 and earlier do not show a user-visible warning, but they do log
bright red "[Mixed Content]" warnings in Firefox's Developer Console.

Firefox 23 displays a grey shield icon in the address bar for mixed content.

------
Kiro
I was considering upgrading my site to HTTPS but now I changed my mind. The
benefits are no big deal anyway.

