www.earthlink.net myEarthLink myVoice My Account Support webmail.earthlink.net

« Why does Web Mail have advertisements?     |   Back to MAIN   |     Did EarthLink delete my messages? »

How do I stop the warning about non-secure items or mixed content? - 11/30/06

From: Email Guy
Subject:       How do I stop the warning about non-secure items or mixed content?
Date: November 30, 2006 11:59 PM
Permalink   |   Post Comment

For some reason Internet Explorer (see UPDATE below about Netscape) is unique among browsers in having an annoying popup warning box anytime a web page viewed over a secure HTTPS connection contains any content that is not secure. It can be triggered by an image in an email message, or an advertisement on the page, which obviously presents no security risk. If you've ever seen this popup you know what I mean:


mix-content.gif

*** This image is part of this post, not a real popup. Clicking won't make it go away. ***

In Web Mail some users choose the option under "Preferences / Web Mail Options" to use a Secure Session. If you are seeing the mixed content warning, then you have changed this setting. This option is handy for users who are on shared local networks with other users, or on a wireless connection, and don't want their browser traffic (and email) to be susceptible to snooping by a clever hacker. The secure session encrypts the connection to the Web Mail server and protects the content to and from your browser. Users not in one of these scenarios don't have much real use for this setting, other than perhaps a feeling of increased security (usually a misconception), at the expense of slightly lowered performance. That's why we default it to Off. (Note that the login page is always secure to protect you).

A side effect of using the Secure Session option in Web Mail, is that our ads, and content of your own email messages, will often cause this annoying popup message if you use Internet Explorer. The message is pretty useless and fortunately it can be turned off. To disable the message, follow these steps:

  1. Click the Tools menu, then Internet Options.
  2. Select the Security tab at the top, then click the Custom Level button.
  3. Scroll down about halfway to the Miscellaneous section and look for the setting for "Display Mixed Content".
  4. Select the Enable option.

Now you won't have to deal with that annoying (and for most users completely useless) popup message anymore. If you are a rare user for whom this is actually an important warning, you know who you are, and you will know what is best in your own situation. The rest of us will just turn it off.

UPDATE - I've found that Netscape also has a similar setting, but it doesn't come up as often as it does in Internet Explorer. To disable it in Netscape 7/8 go to Edit / Preferences / Privacy and Security / SSL - and uncheck the bottom box that says, "Viewing a Page with an encrypted/unencrypted mix."

Discussion

Posted by: Jim McKeithan   |   December 1, 2006 2:15 PM    |   (1)

Just getting on board!

Posted by: Patty Ayazi   |   December 2, 2006 12:01 AM    |   (2)

I would really like to stop all this blocking, and see what ever mail I may have to my discretion and let me make the decisions.

Posted by: Tom Planesi   |   January 8, 2007 8:05 AM    |   (3)

The email address and password boxes keep remembering my logons even after I set it not to remember.
How do I get it to forget this information?

Posted by: Email Guy   |   January 8, 2007 8:50 PM    |   (4)

Tom - your browser is doing that, not Web Mail. Look for the setting in your browser that remembers form entries and passwords. It will be either in the Privacy settings or the Content settings depending on what browser you are using.

Posted by: Norma   |   February 20, 2007 3:28 AM    |   (5)

[1] in logging in for web mail I foound several email addresses for m self, in the automatic drop down list, one on thr list when used gsave an error message of "invalid demain" Jpw cam I delete this address from the list?

[2] there are several other email addresses, which I do not know, how did they get on this drop down list? Can they bbe removed?

[3} Is there anhy way to list more than 10 items to review at a time for suspect email and other folders? 10 items takes a long time to review by the method listed.

Posted by: Email Guy   |   February 20, 2007 1:15 PM    |   (6)

Norma - that is saved by your browser, not by Web Mail. Check the setting for saving form entries, usually called autocomplete. In IE the setting is under Tools / Internet Options / Content. You can delete saved form entries there.

To change the number of messages listed per page, go to Preferences / Web Mail Options.

Posted by: dave   |   March 25, 2007 8:50 AM    |   (7)

Wow I have been searching all over the net for that cure. Thanks! I wish I could go to all those threads that have it all wrong and complex and tell them but ...they need to keep digging like I did.

Posted by: Andrew   |   July 6, 2007 3:20 PM    |   (8)

Thanks! - Pretty annoying message, and much appreciated info! ;)

Firefox appears to also have this setting - but it's almost as if someone actually put some thought into it - it's disabled by default! ;)

It's Tools -> Options -> Security Under "Warning Messages" click "Settings" and see checkbox for "I'm about to view an encrypted page that contains some unencrypted information." - If you really want to see it, you can check that checkbox.

Cheers

Posted by: Mike   |   August 1, 2007 3:06 PM    |   (9)

The Earthlink response to the alert reading "This page contains secure and nonsecure items..." regarding Internet Explorer seems to be a cop out. The user purposely sets the warning to be notified of a lack of security. Saying that Earthink (or any) allowed advertising is nothing to worry about is not very convincing to someone that prefers a more secure atmosphere. I notice that even when no emails are present, the alert notification appears. That suggests that the Earthlink web program or Earthlink allowed advertising is the culprit in certain instances. Why not make the Webmail and the obnoxious advertising (that I'm paying for) secure instead of "mixed" security?

When you choose to change the default settings in Web Mail to use an HTTPS connection, you are informed at the point where you make that change that your browser is going to complain about advertisements and mixed content. Advertisements are not delivered over a secure connection, and there is no reason for them to be since they present zero risk. Reading Web Mail pages over a secure connection only benefits a very small set of users (wireless or LAN), hence it is not the default setting. So for users who do want that setting and choose it, turning off the warning in IE is usually a sensible thing to do in this case.

EarthLink is the only major email provider who provides the option of viewing Web Mail over a secure connection. Yahoo, Hotmail, Gmail, AOL, and others do not. We offer it as a benefit for the small subset of users that may have a need for this feature because they access it on a wireless computer or a shared LAN, and they want to be immune to snooping.

Obviously there is zero security risk from an advertisement in Web Mail. Since we build the product and run the site, and we control the allowed advertisements, we can absolutely say that with complete confidence. I think the real point is that you might want this warning to work on other, unfamiliar sites. I do understand that this may create an inconvenient tradeoff since the browser does not let you turn off the warning on a per-site basis. On the other hand, getting our ad networks to deliver HTTPS banners for the very small portion of users that would benefit from eliminating this inconvenience, isn't a good tradeoff for us.

I apologize for being argumentative, but my earlier notes on this subject were not "a cop out". I'm trying to give honest information so that you can make a choice of how you want to set up your own experience. We made a choice to not attempt to deliver advertisements via HTTPS (which is problematic), and I think it is a reasonable choice since the annoying popup in some browsers can be disabled, if you choose to.

Thanks for your feedback.

Email Guy


Posted by: gail xandy   |   October 2, 2007 12:40 PM    |   (10)

I just wanted to tell you thank you. I wish I would have found you right away. I love my web mail and panicked when it didn't show up. The EL techie I talked to on chat was helpful but not nearly
as reading your articles. Have a nice day. GAX

Posted by: Bradley Warner Tompkins   |   May 21, 2009 11:42 AM    |   (11)

Hello, E-Mail Guy!

I too just want to thank you, as a die-hard road warrior. I typically spend each day planning in the office, followed by errands to where-ever. (I'm retired on disability now, but I CAN'T STAND BOREDOM!) When I'm out of town on my sometimes-annual trip I wander all over the southern US for 4 to 6 weeks.

I had no clue EL was unique in offering the HTTPS mode. To me, HTTPS e-mail is invaluable. We've talked about this before: I wish there was some simple convenient means to securely bridge the gap from my e-mail boxes across to those of my friends on non-EL systems. (The effort required to set up PGP, for example, means there are few takers. The best that can be achieved in the foreseeable future, to have some simple convenient ROUND TRIP SECURE e-mail: get all your buddies to join EL (or one of its other specially-named domains - will that work too?) and teach them how to enable HTTPS.)

Whether I am using my VzW handset's cellular broadband EvDO revision A modem (connects to my MacBook Pro via USB), the AirPort/WiFi transceiver built into the laptop, my mother's wickedly fast cable, or the odd land line at a friend's or other relative's place, I never turn HTTPS OFF. At first, I turned it off when I didn't need it. It didn't take long to realize, I was forgetting to turn it on when I *did* need it. NOT good...

You mention a performance penalty. I did some quick "time to open" tests on a 133KB e-mail. All of the numbers below are seconds, from a sports stopwatch, in the order taken.

HTTPS ON: 12.75*, 8.52, 2.65, 2.88
HTTPS OFF: 2.04, 2.60, 6.98*

* these appeared to be interrupts coming from the OS, NOT delays from WebMail

I conclude that at broadband speed, the penalty is about 33%. Rarely are my letters larger... The vast majority are under 30 KB and the Lions Share under 8 KB. Not too bad a trade off.

Again, Thanks,

Brad

Thanks for the info.

To be sure you understand, using HTTPS in Web Mail only protects your connection to the Web Mail server (true for any other HTTPS web site too) and is intended to protect you when on wireless or a LAN, so that others on a shared network can't snoop your content. But when you send email, from Web Mail or from any other software, it always goes out over the public Internet in plain text, on any email system not just here, and so it is not encrypted. This is a very tiny risk that is inherent to email itself, everywhere. So for truly secure email, you must use a shared encryption scheme with your recipients, like PGP or similar.

If you are using a hardwired broadband or dialup connection from your home, there is no benefit to turning on the secure session. When you use a public wifi while traveling, it is useful then.

Email Guy


Posted by: Bradley Warner Tompkins   |   May 30, 2009 11:27 AM    |   (12)

Hi, again!

follow-up about HTTPS:

The finer points of this stuff are intriguing!

Obviously I was missing something important...

So to see if I've got it now:

Suppose I send my e-mail securely and it arrives routinely at EL server # 47 in a major city in Virginia (made-up for discussion, of course!). Meanwhile my business partner and I are sharing design specifics of the most amazing gizmo... She is also sending her e-mail securely and it arrives routinely at EL server # 976 in a major city in New Mexico. (BTW, *both* of us ditched our land lines in 2003, and now cell phones are our only phones. In the news recently: The rate at which people are ditching their land lines is steadily accellerating!)

Are you saying the hypothetical trunk between Albuquerque, NM, and Richmond, VA, is ALWAYS in plain text unless an individual has used PGP (for example) to encrypt his or her microscopically tiny slice of the pie?

If EL owned and controlled (and did NOT share) the trunk directly, that would actually be almost as secure as PGP. Sadly, you imply EL is NOT necessarily the owner, and it is shared with enough other players that shenanigans are likely.

So, what's my grade? Do I understand now?

Dude, your tutorship is priceless!

Thanks,

Brad

If both sender and recipient are EarthLink mailboxes, using SSL in Web Mail completely protects you since we are not sending your email over the public Internet. If your recipient is external, all email is always sent in plain text (SMTP protocol) during the hop when it must be handed off to a remote network. The only way to protect that link is to encrypt the message itself with something like PGP.

The path is, you send via Web Mail to an EarthLink mail server, using HTTPs, and that is secure. We then have to hand off your email to a remote network where your recipient mailbox resides, and that is a plain text transfer. Then the recipient retrieves the message from his mailbox provider, using HTTPS or not, up to him.

The exact same process is true when you use other email software like Outlook, which can encrypt that first hop to your provider if you set it that way.

That said, the risk that a rogue network engineer with access to the Internet backbone somewhere in between the two networks, who happened to be interested in your emails and had the ability to intercept them, is almost zero chance. My point was just that email sent between networks is always plain text unless you encrypt it yourself. HTTPS just encrypts the browser connection to the Web Mail site. The purpose is to prevent snooping of your connection to us when you are on wireless or on a LAN.

Email Guy


Posted by: Bradley Warner Tompkins   |   June 2, 2009 12:11 PM    |   (13)

re. "HTTPS"

Thanks Again,

Brad

Posted by: Eber Irigoyen   |   June 13, 2009 6:28 PM    |   (14)

IE8 changed the message so you have to answer the opposite now

http://ebersys.blogspot.com/2009/03/do-you-want-to-view-only-webpage.html

Posted by: Lisa   |   December 18, 2009 10:54 AM    |   (15)

Thanks so much for helping me get that box off that says secure/non-secure items etc. Have wanted 2 for years!!!!!!!!!1

Post a comment Back to MAIN

Please read the Ground Rules before submitting comments.

Please check the FAQ (Frequently Asked Questions) and try the Search feature before posting a new question. If your question is answered in the FAQ or in a recent article on the front page, it might not get published.



(All blogs get tons of automated spam from robots, so unless you answer this question, your comment will automatically be considered spam and won't be posted. Type human, one word, all lower-case letters.)

1.27