HTTPS displays as non secure for RBC bank
I went to the web site "https://jobs.rbc.com/ca/en" and Firefox shows lock with a caution symbol icon, see enclosed. However when I open "web developer" then "network" to view what part is not secure none of the components are insecure even when I scroll through the list.
Why does Firefox 64 show the site as insecure?
Wót Mace2
Wšykne wótegrona (7)
Hello mace2,
Would you please take a look at this article :
https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox
When you scroll down some, you will see :
A grey lock with an orange triangle indicates that Firefox is not blocking insecure passive content, such as images. By default, Firefox does not block mixed passive content; you will simply see a warning that the page isn't fully secure. Attackers may be able to manipulate parts of the page, for example, by displaying misleading or inappropriate content, but they should not be able to steal your personal data from the site.
I see the shield icon indicating that Content Blocking is active. You can check the Web Console tab to see more detail about what content is blocked by CB and what content is loaded over an open HTTP connection causing the exclamation mark to appear.
- "3-bar" menu button or Tools -> Web Developer
- https://developer.mozilla.org/en-US/Tools/Web_Console
The web console shows the following info that the network view did not initial.
Loading mixed (insecure) display content “http://assets.phenompeople.com/CareerConnectResources/RBCAA0088/en_ca/desktop/assets/images/thumb/bup/I&TS.png” on a secure page[Learn More]
I am still not sure why the network view did not show the insecure value. It does now
Attached the now working view from "web developer" "network" showing non https components.
I am using FF64.0.2 and click the link and clicked the login and got no warning about security.
If you would hover such an image then you should see a preview. This is a problem with the website. Firefox merely warns you by showing an exclamation mark attached to the padlock. You can contact the website to inform them about this insecure mixed content on their pages.
I would not expect to see that on the bank's own secure pages, but these job listings might not be equally secure because they could contain "user generated content" on HTTP paths that the person submitting the listing never tested in a secure context (or didn't care!).