How can I avoid the "This page contains both secure and non secure items" warning in my browser?

Question

We are thinking to SSL enabled part of our website, but some page contains ads from third party vendor (like Google AdSense).

I'd think this will create a annoying problem for our users since they are going to see warning message like "This page contains both secure and non secure items" when they view a page with ads. However, when I browse to Gmail with https instead of http, I don't see that warning in firefox.

Does anyone know how Gmail hide this?

Answer 1

some page contains ads from third party vendor (like Google AdSense)

Then the browser is right — that isn't secure.

With AdSense and most other ad networks you are given a link to JavaScript. When you refer to any external <script>, you are giving complete trust over the contents of your page to the external script provider. You need to trust them to do only what they say they're going to do (show an ad), and not something nefarious like take over the login form from the page it's on and steal values you type into it, or, if the “ad” script were included on your bank account page, automatically empty out all your money.

So external scripts are a trust problem, but if you are using a vendor that provides an HTTPS interface to their ads, then at least it's only one known party you have to trust. If the ad provider only has an HTTP interface, then you're sending out your trust to anyone who can grab control with a man-in-the-middle or similar attack. You are effectively reducing the trust level of your entire page to that of plain unencrypted HTTP, so the browser is quite correct to complain that the page isn't actually any more secure than any old HTTP site.

Answer 2

Google's documentation indicates this is a known issue and does not offer a workaround: https://www.google.com/adsense/support/bin/answer.py?answer=10528