I have an ssl certificate set up and when I use the https prefix google chrome puts a skull next to it and crosses out the https. Heres what the security information says:
The identify of this website has been verified by go daddy secure certification authority.
Your connection is encrypted with 128bit encryption...However, this page includes other resources which are not secure.
What am I doing wrong?
This means that you are linking to a resource (CSS, JavaScript, image, etc) on your website that does not have an SSL connection.
Check that all of your images, JavaScript, and CSS links are either relative (e.g. starting with \ or image\myimage.png, not http://www.mysite.com/images/myimage.png) or linking to an SSL site as well.
A common cause of this issue can be Google AdSense, which does not offer an SSL option for ad serving. Similar JavaScript links may also be "breaking" your SSL's "validity".
This occurs when you are using items that are not protected by your SSL cert. This could be items not under the SSL settings on your web server or if you are using items from another server entirely for example.
In chrome you can set all insecure content to be blocked to see what breaks and fix it.
OR
Use Firebug in Firefox and see if there are any files that are being grabbed with the http protocol in the net tab.
Related
I have a Comodo SSL certificate on my host plan, however when accesing my site from google, it sends me automatically to
http://example.com, Where the green lock doesn't appear.
If I manually add "https", like: https://example.com it does show up!
Is there a way to access my website always with the green lock showing up? instead of manually having to write it everytime?
You can easily redirect to the https version of any page using rewrite rules/rewrite module of your web server (the exact way to do this depends on the webserver used). Ask your provider, this is a common case so there may even be a UI option in your console to do this.
Regarding google see this: https://webmasters.stackexchange.com/questions/67212/how-to-convince-google-to-list-https-version-of-website
It may also be good form to verify the protocol used to access the site in your authentication module and refuse authentication if the wrong protocol is used. Assuming web rules are used to redirect traffic this would to prevent leaking information due to a misconfiguration/bug.
Well i have this website made with wordpress hosted on hostgator in a web hosting. Sometimes when i access it with some browsers like firefox it give my this error:
The text is in spanish but it basicly says:
"The conection is not safe The owner of www.domain.com has configured
this website incorrectly. To protect your information againts thefts,
Firefox has not connected to this site"
Sorry for my english.
Thanks!
There are various reasons for this error. As a primary investigation, you may check below:
Make sure that you have valid CA bundle installed along with certificate.
If you have URL(s) set in your code (any web page), make sure that you have used "HTTPS://" instead of "HTTP://". Because, if there is a URL in your code which is set with HTTP, browser will detect that page as non-secured and it will not load the page and will show security error.
https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean
When Firefox connects to a secure website (the URL begins with "https://"), it must verify that the certificate presented by the website is valid and that the encryption is strong enough to adequately protect your privacy. If the certificate cannot be validated or if the encryption is not strong enough, Firefox will stop the connection to the website and instead show an error page
I have found a lot of information about serving http content into https websites and what to think of when doing / not doing that.
My problem is slightly different: I want to serve https content from one domain (active and passive) into another http only domain websites, but I can't find any information about browser support for that.
Example:
http://www.mydomain.com
loads scripts and images from
https://www.myotherdomain.com
I have tried this out in Chrome / Firefox and seem to not get any warnings, but wonder what the general browser support out there is. Can I expect this to work anywhere?
The reason for mixed content warnings are that when a user is browsing a page over https and it has content embedded which is accessed over http, the user would believe they are on a secure connection but not be aware of the insecure content otherwise. This could be used to trick a user into believing they are secure when actually they are not.
In your case the user would of course only see http, and not see anything to make them believe the connection is secure, this therefore would not be a security concern meaning that browsers will allow this.
The bigger question is why you may want to do this, remember you will not benefit from caching between your server and the client which would increase load on your https server. I'd be tempted to serve a copy of your files over http and only use the ones served over https for pages served over https.
When I try to get data in a mobile flex app from a secure site, I get following alert:
A secure connection with this site cannot be verified. Would you still
like to proceed? The certificate you are viewing does not match the
name of the site you are trying to view.
For each call, I get the popup. If I keep on clicking Yes, the app works fine (but I would like to avoid that ;-)).
Any ideas? Apparently, the url from where the request comes, is not the same as defined in the certificate... But what is the url if called from a mobile app (standalone)? It's neither an error, because you can click on yes. So it's more that the client gives a warning. The annoying thing is that you can't accept it permanently...
This is the same whenever a cert is not correct and chrome or firefox alerts you and asks if you want to proceed. You cant accept a faulty cert on the behalf of your users. The easiest way to fix this is to tell the site owner to get a proper cert.
Check with your system administrators of website whether certificate installed is issued for your domain. It appears that certificate is issued for a domain https:///xxxx where as it is installed on https://yyyy
Bypassing is OK for testing , it seems finally you will have to get this corrected
In my experience this only comes up with self-signed certs, expired certs, and when you are calling the cert by a URL that is not identified in the cert.
With most certs they are associated with a single host/domain combination, i.e. https://www.domain.com
That means that they cannot be used with any other domain host combination. Not even http://domain.com or https://sub.domain.com.
There are certs that will support different hosts on the same domain (www.domain.com, sub.domain.com, etc). They are called wildcard cert. They are very expensive compared to normal single domain certs.
My guess is that in the browser you are calling www.domain.com but in your AIR app you are calling domain.com or calling some other host. That or you have permanently accepted the improper cert in the browser.
I have never have a problem with anything improperly identifying a valid cert. Not a browser, Flex app, AIR application. Ever.
If you view the cert in the browser you should be able to see what domain/host it is registered to. Make sure you are using exactly that. Any variation will cause the error.
As a temporarily solution I added some exceptions to the URL Rewrite Module, so that communication by Mobile App can be done with HTTP. But it's no longer secure, so I would rather use HTTPS.
I have also faces this issue and simple solution is fixed the certificate issue. If not possible then forget about using the HTTPS use HTTP only. So you never get any complain about any certificate issue.
Do browsers throw security errors when "https://sub.example.com" is embedded in an iFrame inside "https://www.example.com"?
If not, are there any restrictions? Do they need to be using the same SSL certificate (wildcard)?
No, HTTPS content from many separate sources (via images, iframes, scripts etc) may comprise a single page whilst keeping the ‘secure’ UI, as long as all resources independently pass certificate validation. Doesn't have to be the same hostname, same domain, same certificate or same CA.