Chrome: Your connection is private but someone might be able to change the look of the page
The page that your browser displays on the screen might consist of many elements: the HTML code, CSS, images, etc. Also some of the content might be provided, enhanced, or altered by (legitimate) scripts downloaded from the site. These elements might be included from the same server or from other servers.
For Chrome to display the "Your connection to this site is private" message, for each element of the page:
- an encrypted HTTPS connection must be established
- site certificate (identity) must be valid
- non-deprecated protocols and algorithms must be used
If one or more of the elements is included through a non-encrypted HTTP link, then:
if it is a script, Chrome will display a message:
Your connection to this site is not private because the site loaded an insecure script.
In such case there is a possibility that the script was replaced with a malicious one. Any data you receive from the site or sent to the site can be intercepted and changed.
if it is (only) a passive content (like an image), Chrome will display a message:
Your connection to this site is private but someone on the network might be able to change the look of the page.
In such case no one would be able to sniff on your data or read the information that the site provided. However by altering the look of the page you might be tricked into performing an action you did not originally intend to, for example resetting your password. Although the password change itself would be secure and legitimate, it might benefit the attacker.
Also, this message is not 100% accurate. Depending on the actual passive content being included, a passive attacker can deduce what actions did you take on the encrypted site. Unlike with HTTPS, with HTTP the full URL would be visible, so if a certain page loaded a unique set of icons, an attacker would be able to tell you reached that page.
techraf's answer has a great general explanation, I just want to add the direct cause in the page you identified in your comment:
https://egov.uscis.gov/crisgwi/go?action=offices
The warning that Chrome gives you is a bit confusing, but the specific issue on this page is the Search button at the top, which is part of a form that contains a non-HTTPS endpoint:
<form action="http://www.uscis.gov/portal/site/uscis/menuitem/"
method="get" name="searchForm">
...
<input type="image" name="submit"
src="images/branding/searchButton.gif"
id="uscisSearchBtn" title="Search">
</form>
Chrome is complaining about the HTTP target of that form.
The way you can find this out is:
- Click the icon to the left of the URL in the address bar to bring up the warning.
- Click "details" underneath. You'll see some details.
- In this case, there's another little warning icon on the top right of the analysis window. This will bring up the console (you could also skip these first 3 steps and just open up the developer console directly, if you're already used to doing this).
- Here you will generally find a more detailed message, containing both a description of the issue and identifying the problematic resource.
- To the right of this message you'll find the name of a file and a line number. Clicking it will open up the page source with the item in question underlined in red.
Here's my attempt at recording that process in an animated GIF (click it to view it in full res):
Sorry, I don't know what risks are associated with this, but that's at least the precise source of Chrome's warning. Hope that helps.
This means the site loaded requested http resources on an https link.
An attacker could manipulate the http resources and attack through those.
If you open the console, you will see many Mixed-Content warnings, which explain it.
Reference:
https://productforums.google.com/forum/#!topic/chrome/NLTAR28lqU0