A secure website is one that uses a variety of security measures to protect your information. However, not all websites are created equal. Some may use outdated or less secure technologies that could leave your information vulnerable. To ensure the safety of your data, always use a trusted browser extension or bookmarklet to check the security of websites before you visit them. And if you’re ever worried about the security of your online information, reach out to your trusted friends and family for help. They can help you stay safe online too! ..
With all the trouble one can run into on the Internet, it is always a good idea to have as secure of a connection as possible. But what do you do when your browser says a secure website is not fully secure? Today’s SuperUser Q&A post has the answer to a worried reader’s question.
Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.
The Question
SuperUser reader David Starkey wants to know why his browser says a secure website is not fully secure:
What is going on here? Is David’s connection to the Pandora website secure or not?
Next to it is a shield. This one says content that is not secure is blocked.
These statements, at least to me, seem to contradict each other. Can someone explain this to me? Is my connection secure or not? I accessed the Pandora website using Firefox 30.0 on Windows 7. I also have HTTPS Everywhere installed.
The Answer
SuperUser contributor redburn has the answer for us:
Have something to add to the explanation? Sound off in the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.
If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted: the unencrypted content is accessible to sniffers and can be modified by man-in-the-middle attackers, and therefore the connection is not safeguarded anymore. When a webpage exhibits this behavior, it is called a mixed content page.
The statements are not contradictory, but complementary, and a little confusing perhaps. The first says the page itself is not fully secure because it contains unencrypted elements (all web browsers will notify you of this), whereas the second notes that these elements have been automatically blocked by Firefox.
If Firefox did not block the unencrypted elements, then strictly speaking, the page would not be secure.
HTTPS Everywhere does not guarantee a secure connection. It will only try to force HTTPS whenever it is available; if it is not, then there is nothing a user or browser can do about it outside of blocking the unsecure content.