I have a page on my site which was meant to be SSL enabled. Now, if the page has a link to an external site, does this invalidate my SSL encryption?
Thanks
SSL deals with the communication between your server and the requesting browser. When using SSL the html that comprises your page is sent over an encrypted channel to the browser. The browser then decrypts the html and renders the contents. Whether or not that html contains links to other websites than your own means absolutely nothing.
If you are loading a section of a page from another site, for instance an iframe, then the encrypted HTML that is sent to the browser only has a link to this external content. If that external content dose not encrypt content, it dose not affect the encrypted content from your site.
How ever, this can lead to security issues. You do not control what that external content is, it could just log all of the users cookies, which could be used to steal passwords.
Related
There are existing discussion [1] on the use of protocol relative URL in HTML, but how about email?
Will email client, or service providers like Gmail strip or modify protocol relative URL when they are used in HTML email?
[1] Can I change all my http:// links to just //?
I sent an email through Gmail with this content:
link
and it was received unmodified. When I right-clicked on the link to copy the link address, Chrome prepended https: to it (since Gmail uses secure HTTP), but when I inspected the element's HTML, it showed the <a> tag as I had written it.
It's not normal for email servers to change the contents of emails.
Omitting the protocol is intended to let a web browser choose between secure and insecure versions of the same content. If you load a page via https and it contains an image with an src beginning in http, the browser warns the user that it is dangerous to load insecure content -- a confusing and worrying message. If you load a page via http and it contains an image with an src beginning in https, that prevents caching among other inefficiencies.
The compromise is to allow the browser to load content with security matching the page that loads it -- efficiency for an insecure page; complete guarantee of security for a secure page.
But an email client always warns about embedded content (images, scripts, ...), meaning omitting the protocol has no benefit.
Furthermore, a non-browser email client doesn't have a protocol to begin with. It downloads information and then loads it from the disk. If you really want to let the email client choose to load embedded content with the security level with which it loaded the email, you'd let the client look for the information on the same computer. (They'll actually do that by assuming // means file:///.)
So is it safe to put a // URI in an email? I'd say it doesn't make sense; therefore, there has not become a standard way for non-browser clients to handle it, meaning you're looking at undefined behavior.
Better to choose the protocol based on the sensitivity of the information identified by the URI. Is it a chart of proprietary financial data? Use https. Is it a lolcat? Use http.
No , its not safe to use protocol relative URL in email. because its change protocol so that browser can fetch a resource from whatever protocol the site is telling it to use.
but some email clients (Outlook especially, as usual) won’t try to use HTTP or HTTPS as the protocol. Instead they’ll use the file:// protocol and assume the resource you’re referring to is on the local machine. But it won’t be. So don’t use these in emails.
You have to be sure that the server you’re requesting from is capable of serving content over both HTTP and HTTPS. If not you might end up fetching content from an unsecured or nonexistent server port.
IE6 does not know how to handle this. If you care about supporting Internet Explorer 6 then you shouldn’t use these.
IE7-8 support protocol relative URLs but they’ll end up fetching the resource twice. Once from HTTP and once over HTTPS. This can slow things down a bit but the way I see things it’s not much of a problem for anyone except the person using IE7-8 and if you’re using IE you’ve got more important things to worry about.
its browser dependent so its depends what browser you are using GMAIL working fine in crome but not in IE6.
I'm using an iframe technology that places my html page inside of a 'landing page' hosted by our clients.
The problem in 1 situation is the page hosted by the client is HTTPS and it shows the Security Warning: Do you want to view only the webpage content that was delivered security? Yes No
I want this to be resolved... not sure what to do. We have an SSL certificate which works but that particular iframe page, when accessing via https on my local box, it shows the SSL Warning that its not valid.
Read this article for some background about mixed content. In general, you can't have a HTTP-based subframe of a HTTPS-based page; if you do, you'll encounter this warning in most browsers in some form or another (some show a notification bar, a broken lock, or other indicator).
You'll either need to change the page so that the top-level isn't HTTPS, or so that the subpage is also HTTPS and bears a valid certificate.
I have a page on my website https://www.mydomain.com/about . It consist of a vimeo video.
We are embedding the vimeo video in a iframe on the page.
But it shows a security warning stating that "Do you want to view only the webpage content that was delivered securely ?".
Is there a way to avoid this ?
That warning means that some content on your page was served through HTTP instead of HTTPS. It tells the user that, even though the page itself was served through HTTPS, it includes content (image, stylesheets, scripts, iframes) that was not authenticated, and that such content may be subject to MITM attacks.
If you want to avoid the warning, you should set the source of the iframe to an https: URL.
I have a page that forces SSL and everything checks out fine in my browser without any query strings. I added some query strings in order to query the database for a particular product that we offer and now Google Chrome says "Your connection is encrypted with 256-bit encryption. However, this page includes other resources which are not secure." Is this something to worry about? Is Chrome only weary of the query strings?
If your query string opens a page that presents images or content not hosted within the domain (s) listed in the SSL Certificate, then Chrome is simply warning you that some of the content on the page is not encrypted over SSL because it s being retrieved from an unencrypted source.
Basically, if your content page includes content from another source (ie. Inline Frame, Image, YouTube video, etc), the page content is not completely secure.
Is it still not kosher to have a https page with images that are not accessed via SSL? (ie imagine a web app which is SSL for all important content, but images and styles are coming via a plain http CDN).
Correct, it's still not kosher. It will cause warnings in many browsers about "mixing secure and insecure content."