"Insecure content" on two european Amazon domains + browser error?

I already wrote about this subject on “General topics” subforum but thought this would probably fit better here, also providing more collected info about it.

So starting from two days ago when I went to browse Amazon.de, for the first time (that I recall) I noticed that on the front page Firefox had “insecure content” (sorry, I use finnish version of the browser so I’m not sure what the exact term in eglish is, but point being it gave the icon with orange warning triangle next to grey lock). Firefox didn’t seem to find any non-HTTPS images on the site on it’s page information tool menu. However, when I opened the browser console, it said this unsecured domain loaded on the page:

hxtp://z-ecx.images-amazon.com/images/G/01/AUIClients/AmazonUISpinner-spinnergray_2x-d4dc5be75361ec92bee9941f2c6e86cab26fe388._V2.gif

Later when I did some product searches, I noticed the “insecure content” icon didn’t appear on pages of singular products or most product search pages. However, when I went to browse “CDs and Vinyl” category, the icon popped out again and I once again opened the server browser to see what caused it, and it gave me this error:

"Error logged with the Track&Report JS errors API(hxtp://tiny/1covqr6l8/wamazindeClieUserJava): {"m":"[CSM] Insecure content detected img : hxtp://g-ecx.images-amazon.com/images/G/03/music/marc/SMSAmazon2.jpg","csm":"v5 ueLogError stack","logLevel":"WARN","attribution":"//*[@id='nav-flyout-aj:hxtps://images-eu.ssl-images-amazon.com/images/G/03/digital/music/dmusic-flyout-subnav.json:subnav-dmusic-flyout-physical:0']/DIV[2]/DIV/DIV[5]/A/IMG","pageURL":"hxtps://www.amazon.de/s/ref=nb_sb_noss?__mk_de_DE=%C3%85M%C3%85%C5%BD%C3%95%C3%91&url=search-alias%3Dpopular&field-keywords=big+hero+6&rh=n%3A255882%2Ck%3Abig+hero+6","s":["N/A"],"t":8630}" Object { m: "[CSM] Insecure content detected img…", name: undefined, type: undefined, csm: "v5 ueLogError stack", logLevel: "WARN", attribution: "//*[@id='nav-flyout-aj:https://imag…", pageURL: "hxtps://www.amazon.de/s/ref=nb_sb_n…", f: undefined, l: undefined, c: undefined, 2 more… }

Sorry if that bunch of code is somewhat incomplete, but that’s the direct copypaste I was able to paint from the console. I decided to share this just in case. I’m not sure if these Amazon domains have always had http content popping up in some parts of the sites, but I’ve never seen them in site’s front page before. I tried another european Amazon domain, amazon.co.uk and it showed “insecure content” icon too.

(also on side note, when I scanned both amazon.de and amazon.co.uk on Sucuri, it showed apparently .co.uk had website firewall while .de apparently didn’t)

That’s normal on sites that provide mixed content.

So that error message is something that can happen normally too?

Dear Pernaman,

Could be an alert for the lacking security of that connection.
The IP 52.222.174.189 has been known to lauch particular adware, blocked by Adguard etc.
Here I find nothing flagged: http://urlquery.net/report.php?id=1496765181020

When you come across alerts because of the new https/http policy for insecure connection,
such an alert does not say anything about the security status of the website an sich.

A whole lot of people now have come to misinterprete such alerts,
and Google nor firefox for that matter should have explained these particulars to their users.
So there has been a new interpretation of the so-called “green padlock”.
What does the average user know?

What does the secure connection to a site bring you, when a free certificate has been installed as root, and we find issues in the HTTPS Only Atlas for that domain or in the crypto report. :o
I think this is pure esthetics, cosmetic and misleading to end-users as they do not value such information right,
as some-one with relevant knowledge would.

polonus (volunteer website security analyst and website error-hunter)

Thanks for input polonus :smiley:

Amazon.de and amazon.co.uk no longer make “insecure content” alerts or console errors on my browser.

I went and thested browsing amazon.de and it showed “insecured content” icon again on "CDs & Vinyl) category page and this time when I went to see FF’s page info and browsed trough images loaded on the page, this time this non-https image was listed there:

htxp://g-ecx.images-amazon.com/images/G/03/music/marc/SMSAmazon2.jpg

For some reason the image didn’t appear on the site itself though, but it showed the image file itself on the pgae information media list and it seemed simple little advert for a music band. However, Adblock doesn’t seem to include this image as blocked element on the site so I’m not sure what would cause it to not show.

EDIT: apparently the said image was one of the images hiden behind Amazon’s normally hidden browsing menus that appeared once I put my mouse on one of their category banners. Sorry about the commotion :-[