Identifying insecure content in secure html request

Question

Hi, I'm debugging an https page with httpFox, looking for insecure content. There's only one insecure request on the entire page, but I can't tell what it is for?

httpFox is flagging this request...it's the only "http" request on the page (the rest are "https"):

00:00:57.444 0.378 970 113575 GET 200 text/html (NS_IMAGELIB_ERROR_NO_DECODER) http://[thebaseURL]/

where the "thebaseURL" is the just the root domain without anything after it (no subpath or file request)

Is there something in the response header that would be the problem? when I click on the line above, I see the response header includes to "set-coookie" for two cookies...would setting a cookie without the secure flag being set cause the problem?

Answer 1

I just wanted to add a comment. Even though your page might be using SSL your content could still be insecure if you are logging sensitive data on the server side in Apache access logs.

SSL will only encrypt the channel from the browser to the web server. The content itself is not encrypted so if your sending sensitive data and your not using HTTP POST then all that sensitive data will be stored in the access logs.

Answer 2

I was able to identify the problem by cutting and pasting the raw HTML source of the page into a new page (copying chunks of HTML code one by one) and testing for when the SSL-certificate-validation broke.

It turns out that there was a broken image path for a 1x1-pixel shim gif. Once I corrected the image path, the page displayed correctly (no "insecure content" error).

It's curious that a missing image would cause the browser to display the "page contains a mixture of secure and insecure content" error, but hopefully this will help someone else in the future.