When a website is HTTPS encrypted, visitors expect their data to be safe. However, this is provided that all content and files such as images, files and subpages are from HTTPS sources. Browsers penalize websites with what they call – mixed content – by displaying an error symbol on the HTTPS and padlock symbol when users visit your website. It is, therefore, essential to ensure that no mixed content (HTTP and HTTPS) exists on your website interface when installing an SSL Certificate.
Types of Mixed Content
Image Source: https://www.keycdn.com/blog/http-to-https/
Browsers such as Google Chrome and Mozilla have segment mixed content into 2 types, (1) passive mixed content and (2) active mixed content.
(1) Passive Mixed Content
Passive mixed content includes media files such as images, audio, videos that are being pulled from external HTTP connections. When passing information from an HTTP to a HTTPS source, data could get leaked. An attacker can manipulate mixed content by altering any image, audio or video and redirect users to a phishing website.
(2) Active Mixed Content
Active mixed content, on the other hand, involves pulling an entire script from an HTTP to a HTTPS source. Active mixed content is said to be more dangerous than passive mixed content as attackers can trick the HTTPS site to pull content from another HTTP source (that can be malicious). This gives an attacker access to request for personal data from your visitors. This includes credit card details, ID number, and email addresses.
Check Before Implementing SSL
It is advisable to ensure that all sources on the site are from HTTPS source – in particular if media files or scripts are stored in an external database. While SSL is the web standard technology use for securing connections, there are checks to be done on your part to set up encryption correctly. At best, you want to avoid mixed content errors because this opens up a huge vulnerability on your website for attacks to exploit on. Consequently, this can affect your brand reputation and business operations if a data breach occurs.