Why SSL-certified sites are still marked as unsafe

Do you have an SSL certificate but are missing the coveted padlock symbol? 

 

Whether it's shopping, banking or public administration, these activities are all possible from the comfort and convenience of your own home. But does the Internet offer the same level of security as if the customer were standing directly at the counter or talking face to face with a customer advisor? Cybercriminals have developed methods to obtain confidential information from Internet users and have identified the transfer of data between the user and web application as one of the potential vulnerabilities. Their approach: they target unencrypted communication between the server/client and eavesdrop.


SSL-protected websites put a stop to this. Users recognize this security measure by "HTTPS" being displayed in the browser's address bar instead of the well-known "HTTP". In addition, modern browsers also display this visually in the form of a green padlock symbol.

 

Why is SSL so important?

SSL stands for "Secure Sockets Layer". This can also be loosely translated as: "a secure connection layer". This technique encrypts all of the data that is exchanged between a user's computer and the server that hosts the website. In order to use this encryption on your own website, you will need a certificate that is usually subject to a fee.


But what if this expensive SSL certificate doesn't work properly and your SSL-certified site is still displayed to visitors as being unsafe? This nullifies one of the two most important advantages: besides improving your search engine ranking, an SSL certificate also generates trust among visitors and e-commerce customers. Having a yellow or red padlock displayed in the browser is counterproductive.

 

An unsafe website despite SSL certification – but why?

If your domain is marked as unsafe despite its SSL certificate, a mixed-content warning will normally be issued. This occurs when the content of a website is composed of both encrypted (HTTPS) and unencrypted (HTTP) resources. This unencrypted content is typically associated with embedded images, iFrames, CSS and JavaScript files, as well as audio and video files.


To see whether this applies to your website, you will need to check the site’s source code. To do so, open the source code and search for src="http:// by using the corresponding search function. Alternatively, you can also use various online tools such as Why No Padlock, Mixed Content Scan and HTTPSChecker. Practical: In addition, the latest version of Google's Chrome browser directly indicates the HTTP content that is causing the error if a mixed-content warning is issued.


There are two types of mixed content in the source code:

 

  • Mixed Passive Content: This is content that is delivered and displayed in a passive manner. Images, videos and audio files fall under this category.
  • Mixed Active Content: Less common, and at the same time more dangerous, for the visitor is active content such as scripts – hence the alternative term "Mixed Scripting". This content includes links, scripts such as JavaScript, iFrames, CSS files, XMLHttpRequest objects and object data attributes. If this content is transmitted in an unencrypted format, it will have a serious negative impact on the security level of your website.

 

Mixed content warnings are predominantly triggered by simple images from untrusted sources. This problem is relatively easy to fix.

 

How can the mixed content problem be fixed?

To avoid mixed content issues, all of the content used on your domain must be offered via HTTPS instead of HTTP. For you, this means replacing all of the http:// content found with its https:// equivalent. First, make sure that the respective resource is available via a secure HTTPS connection. To do this, copy the HTTP URL into a web browser, change http:// to https:// and call up the corresponding URL. If the link or image from the external source is displayed correctly, the URL in the source code can be simply changed from HTTP to HTTPS.


If this is not the case, the following options are available:

 

  • Incorporate the resource from another source.
  • Download the content and provide it via your own server, providing you are legally authorized to do so.
  • Completely refrain from using the resource.

The solution for larger websites

Is the process of manually replacing the non-secure resources on your domain simply too much work? Or is your Internet presence far too complex and extensive, that the search for mixed content wouldn't be feasible without a lot of hassle? If so, the Content Security Policy (CSP) concept would be a good alternative for you.


This concept can be integrated using two different methods:

 

  • In the header with the entry Content-Security-Policy: upgrade-insecure-requests
  • Via meta tag <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

 

Both methods result in URLs being automatically converted to . The HTTP header field is supported by Mozilla Firefox (version 23 and later), Google Chrome (version 25 and later) and Internet Explorer (releases 10 and 11 and later).