while implementing hhtps, is there a way not to show the message "Do you want to view only the webpage content that was delivered securely?" and force the answer to "no" as it will mess up with my css and javascript .
thanks
you may need to serve all the page elements, including the css and javascript from the SSL server.
Also see Dealing with HTTP content in HTTPS pages
That is implemented by the browser process, not the transport mechanism. There are plenty of custom implementations that would not show that warning, but most commonly available browsers will as it represents a potential security hole in the SSL process.
Essentially its the browser warning you that it only got part of the content from an SSL connection, and there is no way for you the end user to directly tell which page elements are from the trusted (i.e. SSL connected) host and which are from untrusted hosts.
If you want to avoid this, either consider placing your CSS/javascript in the pages directly, or limit your SSL to only specific pages which do not include those resources.
Follow these steps to turn this off, but as everything you with security you must weight the risks.
Navigate to Tools-> Internet Options-> Security
Select the "Security Tab"
Click the "Custom Level" button at the bottom
In the "Miscellaneous" section change "Display mixed content" to Enable
Then click the "OK" button
Fissh
Related
Scenario goes like this:
Main parts of web site is on one server. All traffic goes over https. I have no control ovet this server.
Themes use css files and images from another server. Also over https. I have full control over this server.
How vulnerable is the main site (how and why) if css files and images would go over http? I am asking only about css and images.
I don't know how relevant is, but server is Apache and language is PHP.
---------------- edit ------------
So far, there is 'a man in the middle' attack who can change css and thus hide my content, introduce new images and add more text.
But can not create live links, or add js...
Here is a good discussion about this topic started by symcbean.
Any unencrypted HTTP connection can potentially be intercepted and modified by men-in-the-middle. That means, any resource you're retrieving via an HTTP connection is untrustworthy; it cannot be confirmed whether it's the original resource as intended. That means an attacker may be able to include resources in your page which you did not intend to include.
In the case of CSS files content can be altered on your site (display: none, content: "Please go to example.com and enter your password"), in the case of images exploits may be introduced (through buggy image decoding client-side), in the case of Javascript entirely arbitrary behaviour may be injected (e.g. sending all key-strokes to a 3rd party server).
A third party may modify those CSS or images to convey different things, either by tampering that data on the fly, or by spoofing the target. The browser would not know if is getting those from a reliable source, and probably would complain about mixed content issues. CSS3 has many features that may bring pictures from another domain or include unintended content.
I have ssl in my e-commerce web site. At first, browser always asking "do you want to show this web site's content" in all page and when I redirect to mycart page browser shows the same alert like that "This webpage contains content that will not be delivered using a secure HTTPS connection, which could comprise the safety of the entire webpage....Yes...No....". After I clicked to yes, all my sessions get null. Do you have any suggestions for me?
KR,
Çağın
The problem is your secure page is accessing information (scripts, images, etc.) from pages that are not secure. For example if you reference a javascript file (say jQuery) from a nonsecure site (say Google) then certain browsers (like IE) will display this message. You need to search through your references and find these. In other words searching src="http or something along those lines will pull up the nonsecure references.
Depending on what you are referencing you can move those items to your site so that they are now "secure". Also, in some cases changing your reference from src="http to src="https can resolve the problem.
Once you resolve this alert you can check again to see if you are having sessions issues as you could have some other issues to address.
I often have to go into other people's work to make modifications for short-term contracts and a lot of times I have to deal with security warnings throwing in IE because something is including HTTP content from maybe an image, or css or whatever, onto a HTTPS secure page.
I was just curious if there is a well known program or service that will scan a URL and come back with exactly what is coming from HTTP instead of HTTPS on a page?
I use fiddler, but for reasons having to do with my own inadequacies, I find the program difficult at times, and am un-able to zero in on the offending content in a timely manner.
Any advice from the true pros?
Using Fiddler:
In main menu > Tools > Fiddler options, tab HTTPS, uncheck Capture HTTPS CONNECTs. Then, in main menu > Rules, check Hide HTTPS CONNECTs.
This way, the only thing you'll see in your Fiddler capture will be the HTTP requests and responses (without the HTTPS requests or CONNECTs getting in the way).
I would load up the page in Firefox and use Firebug's Net panel to examine all the resources that the page loads.
There's no 'set in stone' way as far as I know, but the easiest way I know of is to either use a tool such as Opera Dragonfly or Chrome's Web Inspector, view the 'Network' tab and see where the resources are being loaded from. You can sometimes (depending on what you use) order this alphabetically and you will clearly see between http:// and https://.
Also as already mentioned, you could just search the source for http://.
When accessing our sharepoint site via HTTPS, users inside our network receive a prompt stating "Display nonsecure items?".
When accessing the site from outside our network via HTTPS, some images do not display at all. Some links do not function correctly as well.
We have found that this occurs when site administrators create images and/or link and display them using HTTP.
How can we seamlessly integrate HTTP and HTTPS so that we don't have to tell site administrators to use only HTTPS when creating images and links?
I have looked at our Alternate Access mappings, and here is the relevant info there:
http://computername Default http://computername
http://HostName Default http://HostName
http://subdomain.domain.com Intranet http://subdomain.domain.com
https://subdomain.domain.com Extranet https://subdomain.domain.com
http://computername:port Default http://computername:port
http://subdomain2.domain.com Default http://subdomain2.domain.com
http://computername:port2 Default http://computername:port2
...Some explanation:
ComputerName is the name of the server.
HostName is just a single hostname DNS entry we have so people can quickly type for example "Sharepoint" in their address bar.
Subdomain is basically sharepoint.ourdomain.com. pretty self explanitory
Subdomain2 is for our Business Intelligence services server.
We have two entries with port numbers. One goes to central admin. the other gives an error and i'm not sure what its used for (if anything).
I inherited support of this application. I hope things arent too messed up.
So TLDR: How can I get HTTP and HTTPS working seamlessly together inside/outside our network to avoid missing images and invalid links?
Thanks all.
The problem is that the urls in the links and image src are absolute rather than relative.
http://subdomain.domain.com/someimage.gif is always going to use http as its an absolute link.
/someimage.gif is a relative link (the leading / means relative from the hostname) so if this url is from a http site it will use http, from a https site will use https (well technically depends upon the document BASE but you can ignore that for your purposes)
E.g. given the relative URL /somepage/someimage.gif
When accessed from this page
Will mean this
http://example.com/somepage/
http://example.com/somepage/someimage.gif
httpS://example.com/somepage/
httpS://example.com/somepage/someimage.gif
http://NEWDOMAIN.com/somepage/
http://NEWDOMAIN.com/somepage/someimage.gif
and everything will work just fine with no warnings.
The built in CEWP puts all links in as Absolute. To fix -
MSDN - Fixing absolute URLs for all Alternate Access Mappings (AAM) of Content Editor Web Part with a Control Adapter
I'm working on a web site which contains sections that need to be secured by SSL.
I have the site configured so that it runs fine when it's always in SSL, I see the SSL padlock in IE7/IE8/FireFox/Safari/Chrome
To implement the SSL switching, I created a class that implemented IHTTPModule and wired up HTTPApplication.PreRequestHandlerExecute.
I go through some custom logic to determine whether or not my request should use SSL, and then I redirect. I have to deal with two scenarios:
Currently in SSL and request doesn't require SSL
Currently not in SSL but request requires SSL
I end up doing the followng (where ctx is HttpContext.Current and pathAndQuery is ctx.Request.Url.PathAndQuery)
// SSL required and current connection is not SSL
if (requestRequiresSSL & !ctx.Request.IsSecureConnection)
ctx.Response.Redirect("https://www.myurl.com" + pathAndQuery);
// SSL not required but current connection is SSL
if (!requestRequiresSSL & ctx.Request.IsSecureConnection)
ctx.Response.Redirect("http://www.myurl.com" + pathAndQuery);
The switching back and forth now works fine. However, when I go into SSL mode, FireFox and IE8 warns me that my request isn't entirely encrypted.
It looks like my module is short circuiting my request somehow, would appreciate any thoughts.
I would suspect, that when you determine which resources require encryption, and which not, you do not include the images, or some header and footers as well, or even CSS files, if you use any.
As you always throw away SSL for such a content, it may happen that part of the page (main html) requires SSL, but the consequential request for an image on this page does not.
The browser is warning you, that some parts of the page were not delivered using SSL.
I will check if the request is for HTML, and only then drop the SSL if needed. Otherwise, keep it the way it is (most probably images and such are referenced with relative paths, than a full blown url).
I.e., if you have:
<html>
<body>
Some content...
<img src="images/someimage.jpg">
</body>
</html>
and you request this page using SSL, but your evaluation of requestRequiresSSL does not take into account the images as secured resources, it will form a http, not https request, and you will see the warning.
Make sure when you request a resource and evaluate requestRequiresSSL, to check the referrer and if this is an image:
// SSL not required but current connection is SSL
if (!requestRequiresSSL && ctx.Request.IsSecureConnection && !isHtmlContent)
ctx.Response.Redirect("http://www.myurl.com" + pathAndQuery);
Just figure out how to determine isHtmlContent (if you do not serve images from a database, etc., but from a disk location), just check the the resource filename (.aspx, .asmx, .ashx, .html, etc.).
That way, if the connection is encrypted, but the resource itself is not html, and no set for "encryption", you are not going to drop the encryption.
I highly recommend using this (free / open source) component to do what you're trying:
http://www.codeproject.com/KB/web-security/WebPageSecurity_v2.aspx
Any content that is not normally handled by .Net (such as regular html and most graphic files) will not execute the httpmodule because it doesn't go through .net
Your best bet is to just handle this at the IIS level. See the following for info on how to configure your server.
http://www.jameskovacs.com/blog/HowToAutoRedirectToASSLsecuredSiteInIIS.aspx
I highly recommend you this product:
http://www.e2xpert.com/web/Http-Https-Switch.aspx
It is professional and easy to use. It comes with a powerful configuration tool, by which just one click can finish the entire configuration for you.
Just use SSL throughout your site, for all pages and for all images/scripts/stylesheets. That just makes everything oh-so-simple. IE and Firefox will no longer complain, you will no longer have crazy modules trying to guess whether any given request should be redirected, etc.
For the average user it's nearly impossible for them to make a informed decision when the only thing Firefox vaguely tells them is, "Parts of the page you are viewing were not encrypted before being transmitted over the Internet." This is about as helpful as the "somethings wrong" engine light and in fact is telling them after their information has been transferred.
The least this message should be accompanied with is a list providing the URL, type of content (images, javascript, css) and what it means to the user. BTW I get this message when using GMail.
Until that happens, as others stated your code should work once you determine the unsecured elements. Then you can use Firebug (http://getfirebug.com) to check the content being delivered over the connection.