Is it still not kosher to have a https page with images that are not accessed via SSL? (ie imagine a web app which is SSL for all important content, but images and styles are coming via a plain http CDN).
Correct, it's still not kosher. It will cause warnings in many browsers about "mixing secure and insecure content."
Related
I have a web api application that I am considering moving to HTTPS. The reason is really just for the initial login where I would like to hide the username and password.
Once logged in do all other calls from the pages also need to be HTTPS? For example do my calls to CSS and scripts need to travel over HTTPS? How about WebAPI calls?
When referencing HTTP content from HTTPS pages, some user agents will issue warnings about "mixed content" or "insecure content" to the user, others may block the content (older versions of IE do that). GitHub solved this issue using ngnix as reverse proxy, so it serves the static content as HTTPS.
If you are only worried about the authentication, and it is cookie based, you can do the authentication in HTTPS and then get back to HTTP. The cookie will be shared as long it is not marked as Secure. Remember that both the GET request acquiring the login FORM and the POST call sending the login form should be HTTPS to be secure.
You can use the page in HTTP and do the AJAX calls in HTTPS: Ajax using https on an http page. Again, this may be useless if the auth form is not secure as well.
If your static content is hosted in a CDN, probably the CDN is able of proxying the requests to your site and return HTTPS content if required.
Static content served as HTTP won't be cached for when you request the same content through HTTPS, neither viceversa, so it will basically downloaded twice.
Also relevant, please check these 7 myths about HTTPS, specially myth #1. If you are worried about security, maybe switch completely to HTTPS is the best decision.
I have found a lot of information about serving http content into https websites and what to think of when doing / not doing that.
My problem is slightly different: I want to serve https content from one domain (active and passive) into another http only domain websites, but I can't find any information about browser support for that.
Example:
http://www.mydomain.com
loads scripts and images from
https://www.myotherdomain.com
I have tried this out in Chrome / Firefox and seem to not get any warnings, but wonder what the general browser support out there is. Can I expect this to work anywhere?
The reason for mixed content warnings are that when a user is browsing a page over https and it has content embedded which is accessed over http, the user would believe they are on a secure connection but not be aware of the insecure content otherwise. This could be used to trick a user into believing they are secure when actually they are not.
In your case the user would of course only see http, and not see anything to make them believe the connection is secure, this therefore would not be a security concern meaning that browsers will allow this.
The bigger question is why you may want to do this, remember you will not benefit from caching between your server and the client which would increase load on your https server. I'd be tempted to serve a copy of your files over http and only use the ones served over https for pages served over https.
I'm using an iframe technology that places my html page inside of a 'landing page' hosted by our clients.
The problem in 1 situation is the page hosted by the client is HTTPS and it shows the Security Warning: Do you want to view only the webpage content that was delivered security? Yes No
I want this to be resolved... not sure what to do. We have an SSL certificate which works but that particular iframe page, when accessing via https on my local box, it shows the SSL Warning that its not valid.
Read this article for some background about mixed content. In general, you can't have a HTTP-based subframe of a HTTPS-based page; if you do, you'll encounter this warning in most browsers in some form or another (some show a notification bar, a broken lock, or other indicator).
You'll either need to change the page so that the top-level isn't HTTPS, or so that the subpage is also HTTPS and bears a valid certificate.
I have an ssl certificate set up and when I use the https prefix google chrome puts a skull next to it and crosses out the https. Heres what the security information says:
The identify of this website has been verified by go daddy secure certification authority.
Your connection is encrypted with 128bit encryption...However, this page includes other resources which are not secure.
What am I doing wrong?
This means that you are linking to a resource (CSS, JavaScript, image, etc) on your website that does not have an SSL connection.
Check that all of your images, JavaScript, and CSS links are either relative (e.g. starting with \ or image\myimage.png, not http://www.mysite.com/images/myimage.png) or linking to an SSL site as well.
A common cause of this issue can be Google AdSense, which does not offer an SSL option for ad serving. Similar JavaScript links may also be "breaking" your SSL's "validity".
This occurs when you are using items that are not protected by your SSL cert. This could be items not under the SSL settings on your web server or if you are using items from another server entirely for example.
In chrome you can set all insecure content to be blocked to see what breaks and fix it.
OR
Use Firebug in Firefox and see if there are any files that are being grabbed with the http protocol in the net tab.
I have a page on my site which was meant to be SSL enabled. Now, if the page has a link to an external site, does this invalidate my SSL encryption?
Thanks
SSL deals with the communication between your server and the requesting browser. When using SSL the html that comprises your page is sent over an encrypted channel to the browser. The browser then decrypts the html and renders the contents. Whether or not that html contains links to other websites than your own means absolutely nothing.
If you are loading a section of a page from another site, for instance an iframe, then the encrypted HTML that is sent to the browser only has a link to this external content. If that external content dose not encrypt content, it dose not affect the encrypted content from your site.
How ever, this can lead to security issues. You do not control what that external content is, it could just log all of the users cookies, which could be used to steal passwords.