Mixed Secure and Insecure Content
When using a secure, encrypted connection, give special consideration to any HTML links you include. Specifically, be aware of the consequences of mixing the secure content with content from a location that is not secure. For example, linking to an image, script, or style sheet via an HTTP based URL instead of a secure HTTPS based URL. This is referred to as mixed content, because the main HTML content was loaded using a secure, HTTPS connection, but additional content on the page is referenced by an HTTP call which includes no security.
Linking to only secure content helps ensure the integrity of the content and provides a more secure shopping experience.
Linking to insecure content presents the opportunity for malicious activity such as sniffing and man-in-the-middle attacks. For mixed passive content, such as image, audio, or other media source, a malicious party can alter the image or media and change what is displayed to the visitor. Mixed passive content does not allow for alteration of any other part of the page.
Mixed active content, such as script or iFrame source or hypertext links pose an even greater danger because it allows for even more destructive attacks such as installation of malware or theft of user personal data.
As a security measure, most web browsers check for mixed content and display a warning message to the user that the page contains content that is not secure. In some instances, this content does not display at all.
When you use a secure, encrypted connection and link to other content, SMT checks to see if that content is also secure. If it is not secure, then SMT warns you that the HTML includes a link to content that is not secure. Best practice is to link only to secure content.