Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Google and Feedburner versus Extended Validation Certificates – and "this page contains both secure and non-secure items" errors

February 24th 2008 in Uncategorized

Well, the EV problem experienced at Tim Callan’s blog has been fixed – by removing Google Analytics and Feedburner tracking code from the page.  I should point out that Google’s code was removed LAST, therefore it is possible that Feedburner may be blameless – we won’t know for sure unless the site is tested with Feedburner tracking code reinstated.

This incident is a timely warning for web site owners to consider the security implications of all code that they add to their sites, especially their HTTPS sites.  If a site owner has invested the time and expense required to qualify for an EV certificate, they will not want their customer’s experience to be complicated by error messages such as those we saw on Tim’s blog. 

I note that Google Analytics code (when used on an HTTPS page) is not the only example of a Google service triggering the “This page contains both secure and nonsecure items. Do you want to display the nonsecure items?” error.  I have also seen the error on Gmail’s log in page when the “Sign Up For Gmail” pane uses a graphic instead of a simple hyperlink.  Google also faced (faces?) a similar problem with their Google Checkout service which also triggered (triggers?) the error message – can you imagine how scary it would be for somebody purchasing products from a web site if they saw that error?

Cite: http://groups.google.com/group/google-checkout-api-troubleshooting/browse_thread/thread/5e855a0fee76b181/b0f83bbee904b8c4?lnk=st&q=%22This+page+contains+both+secure+and+nonsecure+items%22#b0f83bbee904b8c4

I also note that “someone at Google” had advised the complainant that the “available solutions” to get rid of the alert window are to use a different web browser or lower the browser security settings.

I’ll be honest – as far as I’m concerned it is not acceptable in this day and age, from a security standpoint, to tell customers of any web site that they can avoid an alert message by “lower[ing] their browser security settings”.  Just imagine if the site in question was hacked (or any site that the user visits which uses the same Internet security zone).  The negative implications for customers if they followed such advice is frightening.

Suggesting that people swap to a different web browser is taking the easy way out (as we know from Tim’s experience changing web browser doesn’t fix the green address bar problem anyway).


4 comments to...
“Google and Feedburner versus Extended Validation Certificates – and "this page contains both secure and non-secure items" errors”

karen snyder

Hi Sandi,

Thanks for your suggestion I remove the Google Analytics code from Tim’s blog. I’ll reinstate the Feedburner code tomorrow and have someone test it, then I’ll let you know the results.

I hope this info helps other Web site owners keep *their* EV certs functioning properly.

Karen Snyder
VeriSign Blogs / New Media Program Manager



Tim Callan

This is Tim Callan, the blogger in question. I want to thank you, Sandi, for all your hard work in identifying the key issues so that we can make this security solution into all it should be. It’s one thing to design an architecture that works from a puristic perspective, and it’s quite another to find and stamp out all those nagging little details that exist in the real world. Your contribution here has been very valuable, and we certainly are smarter about a few specific Web applications and their interface with EV than we were before this whole thread began.

We’ll keep on it and figure out exactly what’s going on here.

Cheers,

-tlc



karen snyder

Hey Sandi,

Turns out that Google Analytics has a “secure” version of their tool. we used this: https://ssl.google-analytics.com/urchin.js

It was tested and should be working fine now. I’m not going to reinsert the feedburner code; it’s calling to a non “https” server so it will break the EV cert again. I’ll try to find a secure version.

Thanks again,
~K



Patrick

Thanks Karen, that’s exactly what I’m looking for :)


But, to be fair, his blog is not the only Verisign page that is missing the green address bar when it ought not… Let’s visit Tim’s blog at https://blogs.verisign.com/ssl-blog/.  Check this out. We load the URL – we see an alert about “secure and nonsecure items”.  When we see this error it generally means that […]

Previous Entry

Those of you with a technical mindset may find this explanation about what happened, and the timeline, informative:http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube.shtml
Some chatter at NANOG (with a few glimmers of paranoia to add spice):http://www.merit.edu/mail.archives/nanog/threads.html#06347
 

Next Entry