message: mixture of encrypted and unencrypted content

Forum Moderators: open

Message Too Old, No Replies

message: mixture of encrypted and unencrypted content

what do you do?

chewy

9:49 pm on Aug 8, 2010 (gmt 0)

you know when you are at a site and you get that message that says "the page you are about to view contains a mixture of encrypted and unencrypted content".

Do you click yes or no?

I usually don't know what to do.

I just watched a CIO totally bonk on not knowing what to do or why he was getting this message!

I too "bonk" because I don't know what to do either - I just figure some tech person made a mistake and it doesn't really matter what I do other than leave the site as quick as I can.

But even more important:

HOW DO I AVOID HAVING MY VISITORS GET THIS CRYPTIC message?

jdMorgan

11:10 pm on Aug 8, 2010 (gmt 0)

Do not include images, css, or external js files into an SSL (https) page using non-SSL (http) URLs.

If you implement domain or page-URL canonicalization code (redirecting http requests for secure pages to https and redirecting https requests for non-secure pages back to http), then take care to exclude any objects shared between http and https pages from these rules.

If you get such a warning on your own site, fire up the Live HTTP Headers add-on for Firefox and look at the client-request/server-response transactions. If you see non-secure objects being loaded from a secure page, then you can be sure that the <src="link"> is wrong on the secure page or that you've got an incompletely-coded canonicalization redirect somewhere.

I run into this occasionally. If the site is well-known to me, I'll keep browsing as long as the address in the browser's address bar is correct, and as long as I'm not actually in the login/checkout process. If any of these three factors are false, then I'm outta there -- unbonked, but outta there. :)

Jim

rocknbil

2:26 am on Aug 9, 2010 (gmt 0)

Yeah it's usually images or other harmless stuff many amateurs wouldn't expect - like Google Analytics that is hard-coded to the non-https version, or a flash object with a full http: url. It does make them look tacky though. What really gets my panties in a wad is getting this alert on the big name sites that should know better - one of them a PCI compliance security web site. Ugh.

chewy

4:01 am on Aug 10, 2010 (gmt 0)

I think I've got it figured out.

The driving problem here was with an ecommerce site which showed a thank you page with secure and unsecure content on it (some coming from non-secure MSN / Yahoo tracking codes).

Because the transaction was technically complete, we weren't loosing customers, but what we were loosing was the cookie on various sessions where people clicked "no" or bailed and the cookies containing transaction amounts or other conversion data got lost.

Hence the cookie crumbled and our Google Analytics ecommerce data (transactions and revenue) never even closely matched the shopping cart data.

somewhere along the line, I also realized that different browsers were converting (or recording conversions) at hugely different rates than others.

once I get this settled, it will be interesting to see if this widely differing browser conversion data settles down as well.

Security is important.

I'll be looking at this now with a close eye on other sites I work on.