How-to: Understand Website 'Identity Information'

...or more precisely, when a reputable website such as displays a warning triangle and the message: "this site does not supply identity information."

You may notice the warning triangle in the address bar on sites which use the HTTPS, SSL and TLS protocol and certificates, and get the message when you scroll over it. Wordpress? Really?

Let's replay Internet Security-101, with apologies to the technically 'ept' (not the 'inept').

The "identity information" is normally provided when secure site certificate is presented to your browser. Connecting to a site's secure server, denoted by the "https" address prefix, the encrypted certificate is supposed to ensure authentication. Regular HTTP traffic is not encrypted, doesn't authenticate and doesn't worry about "identity information." This is how most of the Internet used to work before the increase of hacking, and why so many more sites
have switched to SSL or TLS connections under encrypted certificates, not just e- commerce, banking, and log-in pages to account-based services.

SSL also ensures traffic is unchanged end-to-end as it is transmitted, so what you get is un-tampered.

So why does a site like suddenly throw that warning triangle and the message: "this site does not supply identity information?"

For one thing, it is not the whole site. consists of millions of sub-domains, all sat under the main HTTPS SSL certificate. Go to root URL and it is perfectly fine. Go to a sub-domain such as and the warning appears. Why?

Usually you will get that warning when the site is displaying mixed content, by which we mean the site is using files not located in its own directory or own server. So for I can tell you all the article images being displayed actually sit on Google Picasa; rather than upload all the images to the Wordpress server, we link across to the master files on Picasa.

However, the browser is checking not only the host site identity, but also the secondary site identity when there's external content being loaded from outside the host. Now while Picasa also uses HTTPS under a certificate and has its own identity, that does not match the credentials presented for - that's if the Picasa credentials even make it through the call, which for this type of simple content call, they wouldn't.

In this example, I'm not going to worry; but then it's from one of my sites, and I know what's on there.

You have to bear in mind that this mixed content can be any kind of file; javascript, php, images, documents, pdfs. What the web-browsers such as Firefox are doing is flagging potentially hazardous content that may harm your computer and its contents. The browser can't establish the provenance of the secondary content; it is up to your judgement when you see the warning (you do see the warnings, right? Just checking) as to whether you proceed on that site. You know it's a reputable site? Go ahead. Not so certain? Get the heck out of Dodge. RC