Google and Feedburner versus Extended Validation Certificates – and "this page contains both secure and non-secure items" errors
Well, the EV problem experienced at Tim Callan’s blog has been fixed – by removing Google Analytics and Feedburner tracking code from the page. I should point out that Google’s code was removed LAST, therefore it is possible that Feedburner may be blameless – we won’t know for sure unless the site is tested with Feedburner tracking code reinstated.
This incident is a timely warning for web site owners to consider the security implications of all code that they add to their sites, especially their HTTPS sites. If a site owner has invested the time and expense required to qualify for an EV certificate, they will not want their customer’s experience to be complicated by error messages such as those we saw on Tim’s blog.
I note that Google Analytics code (when used on an HTTPS page) is not the only example of a Google service triggering the “This page contains both secure and nonsecure items. Do you want to display the nonsecure items?” error. I have also seen the error on Gmail’s log in page when the “Sign Up For Gmail” pane uses a graphic instead of a simple hyperlink. Google also faced (faces?) a similar problem with their Google Checkout service which also triggered (triggers?) the error message – can you imagine how scary it would be for somebody purchasing products from a web site if they saw that error?
I also note that “someone at Google” had advised the complainant that the “available solutions” to get rid of the alert window are to use a different web browser or lower the browser security settings.
I’ll be honest – as far as I’m concerned it is not acceptable in this day and age, from a security standpoint, to tell customers of any web site that they can avoid an alert message by “lower[ing] their browser security settings”. Just imagine if the site in question was hacked (or any site that the user visits which uses the same Internet security zone). The negative implications for customers if they followed such advice is frightening.
Suggesting that people swap to a different web browser is taking the easy way out (as we know from Tim’s experience changing web browser doesn’t fix the green address bar problem anyway).