need some help: how do we figure out what bit on a page is "insecure"

We have a rather lovely page here:  https://permies.com/t/61733/Great-American-Farm-Tour

On other pages on permies, chrome says "secure".  Somebody reported this page as their browser freaking out about it being "insecure".  So I think there is an image on that page that is loaded with "http" instead of "https".  

Is there a plugin or maybe a web page somewhere (where you plug in a url) and it can tell you what bit of a page is the problem?

The page has a mix of secure (https:) and unsecure (http:) links on it.  Note the missing "s" in the unsecure links

About 1/3 of the links to other parts of permies.com on that page is an unsecure http: link that then gets redirected to https: after you click on it.
There are nearly 300 unsecure links on that page.  Chrome doesn't complain about them, but other browsers might.

For example:
"https://permies.com/forums/f-83/books"
"https://permies.com/forums/f-59/chickens"
"https://permies.com/forums/f-116/forest-garden"
"https://permies.com/forums/f-117/hugelkultur"
"https://permies.com/forums/f-93/hunting-fishing"
"https://permies.com/forums/f-75/wofati-earth-berm"

If you'd fix your code that generates your pages to only point to https: links, that might fix the problem, it would at least make it easier to track down.

Note: you also have several unsecure links to java code:
https://permies.com/name.jsp

unsecure links to php:
http://polyfaceyum.com/shop/index.php?main_page=product_info&cPath=1&products_id=2&zenid=un4ih3g2ttkq1vh1tvs61mgqt0

and links to:
http://bit.ly/2l9VI7X
http://crmpi.org/

To view the page source code from Chrome, right click on the page then select "view source", you can then do a search (ctl-f) for "http:"

I suspect the pictures from photobucket are http not https

My guess is that http links are fine.  But embedding an http image makes the page insecure.   Would that be correct?

I guess I am hoping to get a tool that will highlight the images that are insecure.

On that particular page, a script belonging to google is generating http:// thumbnails for the videos.

I can check that, by waiting a long, long time for the page to load, and then selecting "Tools -> Page Info -> Media" using the current version of FireFox web browser. Yes. I still use a menu, those that don't can get to "page Info" by right clicking on the background of the page.

I waited 5 minutes and the page didn't finish loading.  I tried to find out why and it locked up my browser

If it has to do more with pictures being http: and not https: then why is the search page insecure?

That's sneaky!

Perhaps that is something that we can change on our end?

I don't know what this is, but I was right clicking stuff and it says "view page source" or something like that.  I clicked it for this page and it looked like html with all the pointy brackets and stuff.  I did a contrlF (find on page) and searched "http:" and it found 111 instances of that on the page.  

Sure, there are plug-ins, like https://wordpress.org/plugins/ssl-insecure-content-fixer/
Though, I have no idea what is trustworthy or worthwhile. This is where my techno-brain stops working and I depend on others.

Here is a helpful article and tool for finding/fixing mixed content:
https://developers.google.com/web/tools/lighthouse/audits/mixed-content

Google is really looking to lock down HTTPS in July:
https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

In Chrome or Firefox
F12 brings up the dev/debug console thing.

Click "Console" (Firefox/Chrome)
and expand "Mixed content" for Chrome.

That should give you the list of insecure items.



Regarding that page:
'http://i1.ytimg.com/' seems to be the main offender.

They seem secured if I am not logged in.
When I log in the dev debug tool freaks out about all the insecure items.


-Ryan

Ryan,

I loaded the page, f12 ... how do I "expand 'mixed content'"?

I see "79 errors" - that seems upsetting.

There should be a tiny arrow pointing right (à la plus/minus tree expansion in most stuff)
Click that.


Also, try it logged out.  It's looks fine when I log out.
Weird, no?

It came up this time!

And the really big thing ....  I went to a different browser (chromium) and ....  the page is fully secure.   I think you mentioned that.  

So whatever the insecure thing is, it is fixed when somebody is not logged in.  But is broken when I am logged in.