dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6371
share rss forum feed


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:5
Reviews:
·Time Warner Cable

Mozilla Firefox 23 Will Block Mixed SSL Content

»www.linuxtoday.com/security/mozi···ent.html

"A big change is coming for Mozilla Firefox 23 that will force a best practice on web users that is long overdue.

Many websites have long mixed SSL content with non-SSL content on the same page..."
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

1 recommendation

And given Mozilla's habit of releasing a major version (which they aren't anyway--Mozilla just likes big numbers) every 6 weeks or so this is only about 4 months away. So how many websites will this break? I can hear the bitchin' now.
--
Don't feed trolls--it only makes them grow!

HarryH3
Premium
join:2005-02-21
kudos:3

1 recommendation

reply to antdude
This is gonna break a LOT of websites. Lazy webmasters are gonna be under the gun.


kickass69

join:2002-06-03
Lake Hopatcong, NJ

3 edits

1 recommendation

reply to StuartMW
It's bad enough that Taleo (Oracle) and some other sites rely on a previous nonstandard behavior in Firefox. Now that Firefox uses a more standard behavior, their scripts fail because they also rely on a nonstandard behavior in Webkit-based browsers. The Firefox developers are not yet convinced to switch back to the nonstandard behavior, that is, they think the sites should update their scripts. Career sites that use Taleo now don't work properly when attempting to search or use other functions. It's been this way since Firefox 19.

Is this more a matter of Mozilla attempting to force standard behavior/better security practices or them running amok forcing websites to adapt to their standards? People who are job searching now use IE 9/10 or Chrome since Mozilla enacted that change.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

1 recommendation

said by kickass69:

Is this more a matter of Mozilla attempting to force standard behavior/better security practices or them running amok forcing websites to adapt to their standards?

Both

This is just like Microsoft, starting with Vista, forcing developers to abandon the bad practices they'd been using for over a decade.That said many applications were broken and users hated it (and some still do).

Industry standards become standards by default. Mozilla may be trying to change the "default" but they're gonna piss off a lot of people just like Microsoft did.
--
Don't feed trolls--it only makes them grow!


kickass69

join:2002-06-03
Lake Hopatcong, NJ
Indeed, people won't put up with websites breaking in Firefox regardless if it's a good or bad reason and switch browsers.


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

2 edits
Oh, but they're supposed to put up with security & privacy issues these broken websites help to propagate.

They are not wanting to make this change "because they can" or because they want to force their will on others or to change the "default", they are wanting to make the change because it is the correct way to do things.

Do you still use SSL2? If someone did not push the issue, force advancement, there would still be today plenty of "secure" websites using it. Oh, that's good enough. We don't have to do anything at all & everyone can use us . Plus all browser support it, so why not!

And of course they will monitor for breakages & very well may make changes in how they go - before & after. (Look at how many times, how many iterations of the browser useragent string they went through.)


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
said by therube:

...they are wanting to make the change because it is the correct way to do things.

Of course. But as I alluded to above after a certain time things become "industry standards".

For example take Windows. It was always Microsoft's intention to have developers store applications, but not data, in

C:\Program Files\MyApp

The idea was for data to be saved in the %APPDATA% folder. However how many developers did that?

I sometimes still see applications that want to place their stuff under the root folder

C:\MyApp\Data

Why? Because some developer are lazy and/or ignorant and just want things to work.

The same applies to web developers and end-users.
--
Don't feed trolls--it only makes them grow!

evoxllx

join:2007-06-07
Winter Park, FL
reply to therube
said by therube:

Do you still use SSL2? If someone did not push the issue, force advancement, there would still be today plenty of "secure" websites using it. Oh, that's good enough. We don't have to do anything at all & everyone can use us . Plus all browser support it, so why not!

SSLPulse reports nearly 28% of HTTPS sites (with a valid certificate) still support SSL 2.0.

No modern browser supports SSL 2.0. It's a shame that IE even has it as an option, but it's disabled by default.


kickass69

join:2002-06-03
Lake Hopatcong, NJ
reply to therube
I agree with what you're saying. My point is the userbase won't tolerate one browser having a site broken regardless of why it isn't working (security/standards as we're talking about) or something else unrelated when it's either time sensitive, critical or even casual most of the time. In the case of Taleo (Oracle), their customers are employers not the job seekers. Complaining to them will get no where.

evoxllx

join:2007-06-07
Winter Park, FL
reply to antdude
All other major browsers already block mixed scripting from loading, both IE and Chrome do it.


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:13
reply to antdude

 

I can do that on IE and i have it set to PROMPT.. (Sometimes i allow the NON-SSL stuff other times i dont)


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

1 recommendation

reply to antdude

Re: Mozilla Firefox 23 Will Block Mixed SSL Content

said by antdude:

"A big change is coming for Mozilla Firefox 23 that will force a best practice on web users that is long overdue.

Many websites have long mixed SSL content with non-SSL content on the same page..."

They have not thought this through.

Case 1: My webmail site. They are setup so that all connections are secure. However, if an email contains an image, and if I want to see that image while reading the email, then that will become a mixed content page.

The webmail site will probably do the obvious thing - they will turn off their use of "https", and this will lower security.

Case 2: My blog. When I do anything administrative, the blog connects me with "https:". So, if I am reviewing comments, and a comment contains an image that is not "https:", that will be a mixed content page.

The obvious response for the blog service, will be to turn off "https:" for administrative actions, with a consequent reduction in security.

Some web pages are mixed content, because of bad page design. Other web pages are mixed content because what they are doing can unavoidably lead to mixed content.
--
AT&T Uverse; Buffalo WHR-300HP router (behind the 2wire gateway); openSuSE 12.3; firefox 20.0


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to antdude
Opera's been doing this for quite some time now, and from the chronic and vehement complaining I've noted on Opera's forums, Firefox will probably be in for a rough ride in the user-complaint department. In Opera's case, the behavior can't (yet) be over-ridden with a user setting, though it appears Firefox will enforce it via a setting that might be alterable.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA

1 recommendation

reply to antdude
Will this break dslreports.com?


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
reply to antdude
Mozilla - Security Engineering -
Mixed Content Blocking Enabled in Firefox 23!
»blog.mozilla.org/tanvi/2013/04/1···efox-23/

That's currently Firefox 'Nightly' ..scheduled for (stable) release August 6, 2013.

OZO
Premium
join:2003-01-17
kudos:2
reply to antdude
said by antdude:

"A big change is coming for Mozilla Firefox 23 that will force a best practice on web users that is long overdue.

Many websites have long mixed SSL content with non-SSL content on the same page..."

It's long overdue, indeed. I always set all my browsers (beginning with IE6, long time ago) to do just that. Still yet to see a web site that could be "broken"

Moreover, I'm pretty sure, that web developers know well what they're doing, by mixing that content (e.g. embedding tracking services into it, etc)... So, if they want security cautious users to visit and use their site, they know how to make it working well even if users block mixed content. Those who don't know that ... well, they don't worth their job.

I just wonder why it's so big deal for Firefox now to finally implement that elementary security protection for its users...
--
Keep it simple, it'll become complex by itself...


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to chachazz
said by chachazz:

Mozilla - Security Engineering -
Mixed Content Blocking Enabled in Firefox 23!
»blog.mozilla.org/tanvi/2013/04/1···efox-23/

That's currently Firefox 'Nightly' ..scheduled for (stable) release August 6, 2013.

Okay. When I read that mozilla link, it does not look to bad.

Most of the cases where blocking would cause trouble are passive content, and it seems that mixed passive content won't be blocked.
--
AT&T Uverse; Buffalo WHR-300HP router (behind the 2wire gateway); openSuSE 12.3; firefox 20.0

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to antdude
What I want to know is how do I turn OFF SSL on sites like the Mozilla blog that does NOT need it?

Mozilla should cease with the ultra nanny crap.

When I try to go to that blog link (which is full of utter claptrap), via HTTP the address gets changed to HTTPS which I do NOT want for a blog! Geez...HTTPS is needed ONLY for a site where I purchase something or enter banking information or if I was forced to access my ISP's email on their web page instead of the proper method of downloading it to disk to read. ALL else should be HTTP. How do I force these sites that don't need HTTPS to use HTTP instead?

That blog talks about over fatiguing the user with too much HTTPS mixed content popups ....well, this crap would drive me nuts because I have UNtrusted ALL Comodo and Comodo related and GoDaddy certs since Dec 2008 in all browsers. I certainly don't need a lot more sites that are UNnecessarily HTTPS where I will be getting a browser protest about the cert (because it is from an untrusted cert provider) and then I have to click through all the claptrap EACH time that Mozilla has set up. This will send me back to Opera as my default browser where there is not nearly as much "drama" surrounding untrusted certs.

This propensity now to HTTPS is such a huge farce . Before getting ticky, nicky about something as innocuous as mixed (especially passive) content on https pages the browser vendors should first have the guts to clean up the certificate mess that they deliberately allow to continue. In other words ...Comodo (like Microsoft) is too big to fail. What hypocrites Mozilla developers are (and the other browser makers also).

Besides, I am almost positive I recall Fx used to block mixed content..all browsers did/do I think. So, why is this something "new"? IE 10 refused yesterday to properly open a site that was https because of mixed content. I just overrode the popup and then had other problems at the site. It was a site that had ZERO need to put the entire site behind HTTPS. It should have only the check out for purchases pages behind HTTPS (and login page if the site forces login in order to purchase). Fx 17 ESR wouldn't display the pages at all (only Opera was somewhat successful at the site) so seems to me Fx already covers mixed content but should have a popup so you can ignore the mixed content warning and display the page anyway if you so choose. HTTPS sites frequently break all my browsers. I HATE THEM..except for banking or web purchases.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


intok

join:2012-03-15
reply to StuartMW
said by StuartMW:

And given Mozilla's habit of releasing a major version (which they aren't anyway--Mozilla just likes big numbers) every 6 weeks or so this is only about 4 months away. So how many websites will this break? I can hear the bitchin' now.

I hear this all the time about Firefox, but never hear is about Chrome.

It's an update that brings new features to the public on a non glacial time scale. If you don't like it go back to IE6.


intok

join:2012-03-15
reply to kickass69
said by kickass69:

Is this more a matter of Mozilla attempting to force standard behavior/better security practices or them running amok forcing websites to adapt to their standards?

Sometimes the only way to get people to do the right thing is by force. Hopefully Chrome, Opera, Safari and IE pick this up as well.


intok

join:2012-03-15
reply to StuartMW
said by StuartMW:

said by therube:

...they are wanting to make the change because it is the correct way to do things.

Of course. But as I alluded to above after a certain time things become "industry standards".

Most industry standards suck because they are the most half assed option that everyone else ends up having to support.


intok

join:2012-03-15
reply to Dude111

Re:  

said by Dude111:

I can do that on IE and i have it set to PROMPT.. (Sometimes i allow the NON-SSL stuff other times i dont)

So sometimes you feel like a nut? And some times you don'... Wait, you are always a nut...

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to intok

Re: Mozilla Firefox 23 Will Block Mixed SSL Content

said by intok:

said by kickass69:

Is this more a matter of Mozilla attempting to force standard behavior/better security practices or them running amok forcing websites to adapt to their standards?

Sometimes the only way to get people to do the right thing is by force. Hopefully Chrome, Opera, Safari and IE pick this up as well.

Huh? IE already blocks mixed content pages as does Opera. Fx used to also so I don't understand why Mozilla says this is something new. I use Fx ESR versions and before they had one, I used Fx 1.5 for many years and then Fx 4 for two years and those versions blocked mixed content. I guess some of the ultra rushed versions after ver 4 have not blocked it. I know Fx 17 ESR sucks badly as far being able to easily tell if a page is secure or not. Mozilla gets worse all the time with security. They should fix the tiny, hard to see gray lock situation (with a BIG gold lock and colored address bar) and go back to a FULL BOLDING of the the contents of the address bar so that one knows instantly if they are on a secure page.

As for blocking mixed content I think Fx still does as they always have. That blog didn't make much sense. Fx refused to load a mixed content page for me yesterday. It loaded as a blank page. The problem was that Fx did not clearly show the tiny gray lock and did not color the address bar properly or bold the "https" part of the address so I didn't even realize that the page was supposed to be secure! It wasn't a banking site or a page where one makes a purchase or a web email page, etc) so one would not be realistically expecting a secure page.

Then Fx did not tell me there was mixed content on that page so since I didn't even realize it was supposed to be a secure page, I didn't know why it didn't load it until I tried with IE 10 which gave me a popup about mixed content and gave me a choice of loading or not loading the page. That is the way to handle mixed content. (However, I didn't realize on IE either that the page was secure because it too had a very tiny, almost impossible to see, obscure lock that was gray colored and no proper indication really of a secure page. Only Opera properly, and clearly, identified the page as secure with a big gold lock and a colored address bar). I think Fx and IE need to address the much more serious problem of how they have made secure pages as UNobvious as possible instead of Mozilla claiming they are fixing mixed content pages for the "safety" of their customers.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

praetoralpha

join:2005-08-06
Pittsburgh, PA
reply to Mele20
said by Mele20:

What I want to know is how do I turn OFF SSL on sites like the Mozilla blog that does NOT need it?

Mozilla should cease with the ultra nanny crap.

When I try to go to that blog link (which is full of utter claptrap), via HTTP the address gets changed to HTTPS which I do NOT want for a blog! Geez...HTTPS is needed ONLY for a site where I purchase something or enter banking information or if I was forced to access my ISP's email on their web page instead of the proper method of downloading it to disk to read. ALL else should be HTTP. How do I force these sites that don't need HTTPS to use HTTP instead?

That blog talks about over fatiguing the user with too much HTTPS mixed content popups ....well, this crap would drive me nuts because I have UNtrusted ALL Comodo and Comodo related and GoDaddy certs since Dec 2008 in all browsers. I certainly don't need a lot more sites that are UNnecessarily HTTPS where I will be getting a browser protest about the cert (because it is from an untrusted cert provider) and then I have to click through all the claptrap EACH time that Mozilla has set up. This will send me back to Opera as my default browser where there is not nearly as much "drama" surrounding untrusted certs.

All web traffic should be encrypted, IMHO. It's no business to anyone of what I (or you!) read, look at, or do online, and encryption is an easy way to guarantee it. Not just for banking, buying stuff, and email, but for blogs too. Its also a good way to prevent anyone in between from changing the traffic.

If you want to force HTTP on otherwise HTTPS sites, good luck. Both of them go over different ports (80 and 443), and there is no guarantee or implication (either by web standards or convention) that either will serve the same content. Web servers might be configured never serve anything over HTTP, except to upgrade protocol to HTTPS.

People who are far more knowledgeable on SSL certificates than anyone on this forum are in charge of maintaining certificates that come with browsers and OSes. If you keep up to date and disabled any of them, you likely deserve all the nagging you have coming to you.

As for mixed content sites, send them all your feelings about how they are ruining the web. Soon, I will be notifying all the people and organizations sending me newsletters with mixed/unsecured content.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

1 recommendation

said by praetoralpha:

All web traffic should be encrypted, IMHO.

+1.

I use HTTPS wherever possible--including this site.

Bob et al already monitor enough traffic. No need to make it easy for him/them.
--
Don't feed trolls--it only makes them grow!


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
reply to nwrickert
said by nwrickert:

said by chachazz:

Mozilla - Security Engineering -
Mixed Content Blocking Enabled in Firefox 23!
»blog.mozilla.org/tanvi/2013/04/1···efox-23/

That's currently Firefox 'Nightly' ..scheduled for (stable) release August 6, 2013.

Okay. When I read that mozilla link, it does not look to bad.

Most of the cases where blocking would cause trouble are passive content, and it seems that mixed passive content won't be blocked.

Always better and clearer information from the 'Source'.


therube

join:2004-11-11
Randallstown, MD
reply to antdude


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

2 edits
reply to Mele20
> I used Fx 1.5 for many years

> and then Fx 4 for two years and those versions blocked mixed content.

1.5 does not block it.
4.0 does not block it, but does give you an alert (at least the first time I loaded the page?)

(I used existing Profiles & did not look through an Preference settings/)

> being able to easily tell if a page is secure or not

That is not difficult & is always known.
It is how to take that, in a meaningful way, & present it to an (idiot) end user.

> Fx refused to load a mixed content page for me yesterday.

URL?

> Fx did not clearly show the tiny gray lock ...

The coloring, & there are different colorings, do mean something, do convey (or are supposed to) different meaning to the user. (Have no clue what the different colors mean - & therein lies the problem.)

> IE 10 which gave me a popup about mixed content and gave me
> a choice of loading or not loading the page

IE's popup isn't bad actually. Just wonder how pervasive it is as you browse the net? (Don't use IE so don't know.) And if it is always popping up, I'm sure people will simply tell it not to notify (if such an option exists) thereby negating any value it may have.


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:13
reply to therube

 

I get a blank screen on that page (Nothing loads)



EDIT:

I enabled scripts and then i saw the NON-SSL prompt