A vexing Web-browser security warning

Fred Langa

Web pages that mix secure (https) and unsecure (http) elements are a problem.

Here’s how to reduce repetition of “Security warning: Do you want to view only the Web-page content that was delivered securely?”

Silencing those bogus HTTPS ‘security warnings’

Reader Keith Baldwin writes:

  • “I keep getting a security-warning panel. It says, ‘Do you want to view only the Web-page content that was delivered securely? This Web page contains content that will not be delivered using an https connection, which could compromise the security of the entire Web page.’

    “This is very annoying. Can I disable this? How?”

It is indeed a bother, even more so when you realize that this particular error is often the result of nothing worse than sloppy website design or coding.

When you connect to an https site, all communication between your browser and the https server is supposed to be encrypted to help prevent eavesdropping. That’s a good thing, of course.

The trouble starts when a Web coder builds a secure page that also includes elements (corporate logos, pictures of merchandise, Web-based forms, and so on) that are called from a different, unsecure, non-https location.

When you click to a page that contains a mix of https and http elements, your browser must simultaneously communicate with two different servers — only one of which is using encryption. It’s a potential security hole — a back door that could be exploited.

In fact, sometimes phishers and other miscreants deliberately use this mixed-content technique to build pages that masquerade as secure sites but actually send your information to an unsecured, malicious Web server.

That’s why browsers look for — and warn about — this kind of problem.

Most of the time, however, this kind of error is harmless. The https and http elements are benign and come from the same overall site.

If you repeatedly get a mixed-content warning on a legitimate https site — say, your bank’s — drop a note to the webmaster and complain. It should be relatively easy for their team to fix. Once all the page elements are on an https server, the warnings will stop.

you can also tell your browser that you trust a specific site (say, again, your bank’s) and it should be allowed to load, even with security errors.

All recent versions of all major browsers let you safe-list or white-list or allow specific websites, though the methods vary somewhat. (Check your browser’s Help.) Here’s how in IE 9:

  • Open Internet Explorer.
  • Click the Settings icon (the gear) and select Internet options.
  • When the dialog box opens, click on the Privacy tab.
  • Click the Sites button.
  • Type or paste the exact URL (Web address) of the site you wish to allow.
  • Click Allow.
  • Click OK.

You can turn off the warnings for all sites, not just for ones you believe to be safe. I don’t recommend doing that because you’ll stop valid alarms along with the false ones. But if you want to take your chances, there are two ways to disable the warnings in IE 9 (or use similar steps in other browsers).

► Go to Internet options, as described previously. On the Security tab, click the Custom level button, scroll down to the Miscellaneous section, and enable the Display mixed content setting.

► Or you can proceed even more globally. On the Security tab of Internet Options, change the Internet Zone to the lowest setting, which for some odd reason is called Medium (and which lowers other security options).

Reader needs to downgrade from Win7 to XP

Jessica Whitten’s in a bind.

  • “My computer originally had XP, but the previous owner upgraded to 7 with what might have been a bootleg copy of the OS. I have a different, legitimate copy of XP. How do I go about downgrading my OS?”

Those two Windows versions are sufficiently different that you can neither upgrade directly from XP to Win7 nor roll back (or downgrade) from Win7 to XP.

To go back to XP on a Win7 box, you have to start over and give XP a clean slate to work with. Here are two ways to do this:

  • If you have sufficient disc space, you can try dual-booting XP and Win7 — that is, installing XP alongside Win7 but in its own otherwise-empty partition. (Need help? See Lincoln Spector’s May 6, 2010, Insider Tricks article, “The absolutely safest way to upgrade to Win7.” Its instructions for setting up a dual-boot system work for downgrading, too.) This way, you’ll be able to copy files from the Win7 setup to the XP setup, keeping both operating systems available until you’re sure you’ve stripped the Win7 setup of everything you need.

  • You can also make an image backup of the Win7 system. Then separately copy all user files and data to CDs or DVDs. Make a list of all the software you use and note all serial numbers, product keys, sign-ins, passwords, and so forth on the Win7 system. When you’re sure you have everything, reformat the drive containing the Win7 system and install XP from scratch.

Sorry; there’s really no other good way.

Win8 Consumer Preview on 2GB systems

Steve Zimmerman has a smaller laptop but would like to try the Windows 8 Consumer Preview (info page).

  • “I am about to embark on a Win8 Preview VPC installation following the Windows Secrets instructions [March 14 Top Story, ‘Step by step: How to safely test-drive Win8’]. Thanks for taking the time to write the very detailed piece.

    “My only computer with sufficient HD space is my Win7 netbook. But it has only 2GB of RAM. Is that enough RAM to do the job and still have a functioning Win7 installation?”

It will be marginal, Steve, but it might work. Assuming there are no other issues, you should be able to assign 1GB to the virtual machine and have Win8 boot and run in that memory space.

I also suggest that you shut down all unnecessary apps in your Win7 system before launching VirtualBox. That way, your system can concentrate all its resources on the one demanding task you’re asking of it — running Win8 in a virtual machine.

When you’re done exploring Win8, shut down the virtual machine, and the 1GB you assigned to the VPC will be released for use by your Win7 system. Virtual machines consume RAM only when they’re actually running.

Reinstalling Windows on a RAID system

Jonathan Bello writes:

  • “My Win7 machine completely blew up on me, and I’m having issues with Windows Update and Search. I’m contemplating using your methodology in Windows Secrets to reinstall the OS. [See the July 14, 2011, Top Story, ‘Win7’s no-reformat, nondestructive reinstall.’]

    “My [original Win7] install failed because I set up RAID 1 in the BIOS. Once I disabled RAID, the OS installed fine. I then created the RAID using Intel Rapid Storage. I’m wondering whether I should disable RAID again before the reinstall.”

As a general rule, the greater the complexity of an initial setup, the greater the risk that something will go wrong. I suggest setting up the OS on the simplest, nonRAID setup you can. After the OS is up and running properly, add back the complexity of RAID.

If that’s not possible, then make a reliable, off-system backup — one where the backup files are not on the RAID system. (For example, store them on a DVD/CD, on a networked or external drive, in the Cloud, or in some other safe place of your choosing.)

After your data is safely backed up off the RAID system, you can try installing the OS with RAID enabled from the get-go. If everything works, you’re golden. If it fails, you still have your off-system backups to rely on.

Is a router-based firewall all you need?

Jeff Sedlock asks:

  • “I’ve read different articles about whether to have Windows’ firewall active when you have a hardware firewall on your router. I’d like to know what you recommend.”

I use both firewalls. In fact, I regard my local, Windows-based firewall as my primary defense. My router firewall works as a pre-filter that screens out the routine hack attacks.

With two layers of firewalling, there are two chances of stopping an unwanted connection before it gets going.

Moreover, I’ve never found a good way to monitor router firewalls in real time. Windows, on the other hand, alerts you if your local firewall is off, absent, or crashed.

For these reasons, I run a separate firewall on every end-point network device I can — and most certainly on all my Windows PCs.

So I wouldn’t be comfortable with just a single, hard-to-monitor, router firewall as my only line of defense. But the choice is yours.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the
WS Columns forum

= Paid content

All Windows Secrets articles posted on 2012-04-11:

Fred Langa

About Fred Langa

Fred Langa is senior editor. His LangaList Newsletter merged with Windows Secrets on Nov. 16, 2006. Prior to that, Fred was editor of Byte Magazine (1987 to 1991) and editorial director of CMP Media (1991 to 1996), overseeing Windows Magazine and others.