一个人在互联网上可能会遇到各种各样的麻烦，因此，尽可能安全地建立一个连接总是一个好主意。但是当你的浏览器说一个安全的网站不是完全安全的时候，你会怎么做呢？今天的超级用户问答帖子回答了一位忧心忡忡的读者的问题。

今天的问答环节是由SuperUser提供的，SuperUser是Stack Exchange的一个分支，是一个由社区驱动的问答网站分组。

问题

超级用户读者David Starkey想知道为什么他的浏览器说一个安全的网站不是完全安全的：

I was accessing Pandora via SSL and noticed a few ic*** by the URL. First is this exclamation point in a triangle, indicating the page is not fully secure.

Next to it is a shield. This one says content that is not secure is blocked.

These statements, at least to me, seem to contradict each other. Can someone explain this to me? Is my connection secure or not? I accessed the Pandora website using Firefox 30.0 on Windows 7. I also have HTTPS Everywhere installed.

这是怎么回事？大卫与潘多拉网站的连接是否安全？

答案

超级用户贡献者redburn为我们提供了答案：

This is called a “mixed content” page. From the Mozilla Developer Network (Mixed Content):

• If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted: the unencrypted content is accessible to sniffers and can be modified by man-in-the-middle attackers, and therefore the connection is not safeguarded anymore. When a webpage exhibits this behavior, it is called a mixed content page.

The statements are not contradictory, but complementary, and a little confusing perhaps. The first says the page itself is not fully secure because it contains unencrypted elements (all web browsers will notify you of this), whereas the second notes that these elements have been automatically blocked by Firefox.

If Firefox did not block the unencrypted elements, then strictly speaking, the page would not be secure.

HTTPS Everywhere does not guarantee a secure connection. It will only try to force HTTPS whenever it is available; if it is not, then there is nothing a user or browser can do about it outside of blocking the unsecure content.

有什么要补充的解释吗？在评论中发出声音。想从其他精通技术的Stack Exchange用户那里了解更多答案吗？在这里查看完整的讨论主题。