Our Blog

What is Mixed Content?

By Heshy Friedman

As I mentioned in last month’s blog post, Google made a change that essentially requires websites to encrypt their pages with SSL. They did this by making their Chrome browser show an insecure warning when browsing the site, generally frightening away visitors when there is no SSL. Firefox jumped on the bandwagon and also added an unlocked icon and a warning message when one clicks the site information icon next to the address bar.

Now with people getting the message, I have been bombarded from clients asking why their website is suddenly insecure. This is despite my many attempts to reach out to my customers with advance notification. People are generally reactive, not proactive, so I shouldn’t blame them for not saying anything until they saw the notification. But I do wish they would read my emails and listen to my messages.

Now that I am dealing with this regularly and installing SSL’s on all new sites I release (even static informational ones), I would like to bring attention to what is, perhaps, the most common issue dealt with when installing SSL’s. This relates to “mixed content.”

What “mixed content” means is that there are non-SSL site links, file references, or scripts on a web page that has SSL. One of the rules of an SSL-encrypted page is that all local site references and embedded files and scripts need to also be encrypted by SSL. If any of these items are not encrypted, but the page and website does have encryption, a “mixed content” error will appear, where the web browser will show an icon of a broken lock and state something like “Mixed Content Detected” indicating the site is not secure.

This problem can be fixed easily. The first step is to figure out where the bad non-SSL references are. On smaller sites this can be simple. It is accomplished by searching for http:// in the code of any of the web pages, and replacing them with “https://”. For larger sites, it is best to do a scan of the pages to find the insecure non-https references in the code. A very good resource for this is Whynopadlock.com. This site will scan your own website for any bad references or other SSL issues that it finds by auditing the code.

For WordPress websites, the easiest way to fix this is by using a plugin such as Really Simple SSL, which automates the process by scanning the website for http:// references and redirecting them on page load. This is much easier than going through all the template files and database references for http:// instances and gets the job done simply and cleanly.