Mixing and Matching SSL and Non-SSL Content

Once upon a time, I was in a heated debate with a Sr. Web Engineer about their highly ranked Alexa website. From inception, the web engineering team architected their robust, highly trafficked website mixing and matching SSL and non-SSL content, sometimes putting the content on the same page and same folders. They were running this way for a few years with their current CDN. While on the phone with the engineer, it got so heated that he started name dropping his previous employers, and his vast experience in building big time web applications, while my mouth started dropping in awe, and I started beating myself up as to why I was such a rookie 🙂

During the call, I knew I wasn’t going to win the debate with a maestro programmer, so I just sat in silence. After the call, I wrote him a short simple email. About 3 to 4 days afterwards, I got an email from the engineer stating that his team had already started re-architecting their entire website according to what I prescribed in the email. My engineering team wondered why the dramatic change, and I pointed to my email. In the email, I simply stated, that mixing and matching secure and non-secure content on the same page and folders is a big security no-no that goes against best practices.

I wrote in the email “please don’t take my word for it, or my company’s word for it, look to what Qualys and OWASP say on the subject,” that SSL and non-SSL traffic should not be mixed and matched because it goes against best practices. They say from a security perspective, all website properties should follow best practices and separate SSL and non-SSL content. When I sent the email, I made sure I sent it to their entire engineering team, putting the team on notice. It was a win-win situation for both of us, and we were both happy at the end. And, I built a solid relationship with that engineer because a new perspective was brought to the table.