I have a page that forces SSL and everything checks out fine in my browser without any query strings. I added some query strings in order to query the database for a particular product that we offer and now Google Chrome says "Your connection is encrypted with 256-bit encryption. However, this page includes other resources which are not secure." Is this something to worry about? Is Chrome only weary of the query strings?
If your query string opens a page that presents images or content not hosted within the domain (s) listed in the SSL Certificate, then Chrome is simply warning you that some of the content on the page is not encrypted over SSL because it s being retrieved from an unencrypted source.
Basically, if your content page includes content from another source (ie. Inline Frame, Image, YouTube video, etc), the page content is not completely secure.
Related
If I set up a simple web server online (eg nginx), and generate a very large random string (such that it is unguessable), and host that endpoint on my domain, eg
example.com/<very-large-random-string>
would I be safe in say, hosting a webapp at that endpoint with no authentication to store my personal information (like a scratch-pad or notes kind of thing)?
I know google docs does this, is there anything special one has to do (again, eg for nginx) to prevent someone from getting a list of all available pages?
I guess I'm asking is there any way for a malicious actor to find out about the existence of such a page, preferably irrespective of what web-server I used.
I'd be pretty alarmed if my online bank started using this system, but it should give you a basic level of security. Bear in mind that this is security through obscurity, which is rather frowned upon and will immediately turn into no security whatsoever the moment someone discovers the hidden URL.
To prevent this from happening, you will need to take a few precautions:
Install an SSL certificate on your server, and always access the url via https, never via http (otherwise the URL path will be sent in plain view and visible to everyone along the way).
Make sure your secure document contains no outgoing links. This includes not only hyperlinks (<a href="...">) but also embedded images, stylesheets, scripts, media files and so on. Otherwise the URL will be leaked to other domains via the Referer request headers.*1
(A bit of a no-brainer, but) make sure there are also no inbound links to this page. Although they aren't so common now, web hosts used to generate automatic "web stats" pages showing the traffic to each web domain. Some content management systems generate a site map automatically. This would be just as bad.
Disable directory browsing on your server. In other words, make sure that someone who visits the directory level above your hidden directory isn't presented with a list of subdirectories.
Bear in mind that the URL will always be visible in your address bar and browser history, and possibly in other places like your browser's cookie jar. Your browser will probably provide the rest of the URL by auto-complete when someone types the domain into your address bar.
*1: Actually, your browser will only send a Referer header when you access other https pages, but still...
Well i have this website made with wordpress hosted on hostgator in a web hosting. Sometimes when i access it with some browsers like firefox it give my this error:
The text is in spanish but it basicly says:
"The conection is not safe The owner of www.domain.com has configured
this website incorrectly. To protect your information againts thefts,
Firefox has not connected to this site"
Sorry for my english.
Thanks!
There are various reasons for this error. As a primary investigation, you may check below:
Make sure that you have valid CA bundle installed along with certificate.
If you have URL(s) set in your code (any web page), make sure that you have used "HTTPS://" instead of "HTTP://". Because, if there is a URL in your code which is set with HTTP, browser will detect that page as non-secured and it will not load the page and will show security error.
https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean
When Firefox connects to a secure website (the URL begins with "https://"), it must verify that the certificate presented by the website is valid and that the encryption is strong enough to adequately protect your privacy. If the certificate cannot be validated or if the encryption is not strong enough, Firefox will stop the connection to the website and instead show an error page
There are existing discussion [1] on the use of protocol relative URL in HTML, but how about email?
Will email client, or service providers like Gmail strip or modify protocol relative URL when they are used in HTML email?
[1] Can I change all my http:// links to just //?
I sent an email through Gmail with this content:
link
and it was received unmodified. When I right-clicked on the link to copy the link address, Chrome prepended https: to it (since Gmail uses secure HTTP), but when I inspected the element's HTML, it showed the <a> tag as I had written it.
It's not normal for email servers to change the contents of emails.
Omitting the protocol is intended to let a web browser choose between secure and insecure versions of the same content. If you load a page via https and it contains an image with an src beginning in http, the browser warns the user that it is dangerous to load insecure content -- a confusing and worrying message. If you load a page via http and it contains an image with an src beginning in https, that prevents caching among other inefficiencies.
The compromise is to allow the browser to load content with security matching the page that loads it -- efficiency for an insecure page; complete guarantee of security for a secure page.
But an email client always warns about embedded content (images, scripts, ...), meaning omitting the protocol has no benefit.
Furthermore, a non-browser email client doesn't have a protocol to begin with. It downloads information and then loads it from the disk. If you really want to let the email client choose to load embedded content with the security level with which it loaded the email, you'd let the client look for the information on the same computer. (They'll actually do that by assuming // means file:///.)
So is it safe to put a // URI in an email? I'd say it doesn't make sense; therefore, there has not become a standard way for non-browser clients to handle it, meaning you're looking at undefined behavior.
Better to choose the protocol based on the sensitivity of the information identified by the URI. Is it a chart of proprietary financial data? Use https. Is it a lolcat? Use http.
No , its not safe to use protocol relative URL in email. because its change protocol so that browser can fetch a resource from whatever protocol the site is telling it to use.
but some email clients (Outlook especially, as usual) won’t try to use HTTP or HTTPS as the protocol. Instead they’ll use the file:// protocol and assume the resource you’re referring to is on the local machine. But it won’t be. So don’t use these in emails.
You have to be sure that the server you’re requesting from is capable of serving content over both HTTP and HTTPS. If not you might end up fetching content from an unsecured or nonexistent server port.
IE6 does not know how to handle this. If you care about supporting Internet Explorer 6 then you shouldn’t use these.
IE7-8 support protocol relative URLs but they’ll end up fetching the resource twice. Once from HTTP and once over HTTPS. This can slow things down a bit but the way I see things it’s not much of a problem for anyone except the person using IE7-8 and if you’re using IE you’ve got more important things to worry about.
its browser dependent so its depends what browser you are using GMAIL working fine in crome but not in IE6.
I am using a combination of things and not sure where the error is coming from: I have a WordPress site with and installed SSL cert. https:www.joesmetrobox.com. I have the Cleanr theme installed and I am using WooCommerce and the Paypal Advanced plug in to use Paypal as the way I process payments.
Everything is fine until I try to submit the credit card information here: on this page: checkout/pay/?key=order_51882ad846e67&order=360 (this would be unique for transaction). Then depending on the browser I get an error:
Firefox: Security Warning: Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by others. Are you sure you want to continue sending this information?
Firebug gives me this
error: 404 error for this
wp-content/themes/cleanr/js/scripts.js?ver=1.0 and file which does
not seem to exist.
Explorer 8: Security Warning: Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.
Chrome: Secure Token Expired
and if I use their developer tools I also get this extra clue: Unsafe JavaScript attempt to access frame with URL https://joesmetrobox.com/checkout/pay/?key=order_5188245e1ae70&order=361 from frame with URL https://payflowlink.paypal.com/?mode=LIVE&SECURETOKEN=LvNtL1gubfE6Z5lwc2gMiQgJ0&SECURETOKENID=joesmetro51882d664015d4.15989435. Domains, protocols and ports must match.
So I am pretty stumped at this point where to even focus my attention. I am not a programmer and know just enough to be dangerous.
I am wondering if it is some kind of token setting in Paypal that I accidentally clicked and don't need? or maybe WooCommerce isn't playing nice with Paypal, Cleanr theme or maybe both.
I just want to be able to process payments without an error popping up...does anyone have ideas?
a plugin like this may help you implement HTTPS to your site.
http://wordpress.org/extend/plugins/wordpress-https/
WooCommerce Reference: http://docs.woothemes.com/document/ssl-and-https/
Insecure content warnings
If you have insecure content warnings when viewing a secure page it
means you will be linking directly to scripts, images, or stylesheets
over http instead of https. Most of the time this is simply fixed by
changing said links to https or by using relative URL’s (e.g.
/wp-content/file instead of http yoursitename/wp-content/file).
You can also use a plugin like WordPress HTTPS to force the URLS to be
secure. WooCommerce does secure scripts which are enqueued correctly.
To identify the insecure links you can use a tool such as Firebug for
firefox, or Chromes built in developer tools, and look at the error
console – insecure resources will be listed.
I have a page on my site which was meant to be SSL enabled. Now, if the page has a link to an external site, does this invalidate my SSL encryption?
Thanks
SSL deals with the communication between your server and the requesting browser. When using SSL the html that comprises your page is sent over an encrypted channel to the browser. The browser then decrypts the html and renders the contents. Whether or not that html contains links to other websites than your own means absolutely nothing.
If you are loading a section of a page from another site, for instance an iframe, then the encrypted HTML that is sent to the browser only has a link to this external content. If that external content dose not encrypt content, it dose not affect the encrypted content from your site.
How ever, this can lead to security issues. You do not control what that external content is, it could just log all of the users cookies, which could be used to steal passwords.