What does this Https - "not fully secure" warning mean?

In a nutshell, it is saying that while the core of the page is using https (secure) to get that information to your computer, that (secure) page references insecure elements (like pictures and possibly scripts).

Attackers can't directly change the original page, but they can change the insecure elements. If those are pictures, they can change the image. If those are scripts, they can change those, too. In that way, attackers could change what you see, even though the core page was 'secure'.

As Michael Kjörling points out in the comments, this also exposes some of your information in these requests - potentially cookies (if it is the same site / matches the cookie sites / the developer didn't specify secure only), referrers, etc, which will leak some information about what you are doing at the best case and at the worse may allow certain attacks.

This is bad practice on the part of the web developer - all elements should use secure transport.

You could (potentially) improve your own situation using a browser plugin that auto-updates all requests to http to https.


The warning means that certain passive elements of the page (passive elements are things like images, videos, audio, etc) have been loaded over an insecure connection. No active content, which is content that could access your username or password (primarily scripts, but also iframes), has been loaded over an insecure connection, so entering your password on that page is just as safe as if the warning message was not there.

There are two reasons that browsers warn you about passive mixed content. The obvious one is that an attacker could replace the insecure images with something else. The more subtle risk is that if an attacker can see what images are loaded on the page, they might be able to correlate that with the pages on the site that load those images, and use that to determine what page on the site you are viewing. In your case, that doesn't matter, but for some sites HTTPS is used partly to prevent an eavesdropper from determining which part of a site you are viewing.

If the page has been loaded over HTTPS, and there is mixed active content, which means it wouldn't be safe to enter your password, your browser will block the script automatically, so it isn't a risk. If you decide that you do want the script, it very prominently marks the site as being insecure.

Before loading the unsafe content:

Chrome mixed active content warning

After clicking "Load unsafe scripts":

Chrome with a Not Secure warning

Provided that the URL begins https:// and there are no prominent security warnings, it is safe to enter your password.


It means the webpage is not showing all of its content on https protocol. It has some parts using http. Mixed content is not good and this generate the warning you are seeing on browsers because part of the content can be viewed in plain.

Maybe some external images loaded as <img src="http://somewhere.net"> or some javascript, css or whatever.

Microsoft Edge is too much confident I think. :)

Tags:

Encryption

Tls