i have a website running adsense and its on HTTPS
recently i noticed some mixed content warnings. When i checked the insecure content loaded it turned out to be coming from this domain:
http://ad.afy11.net/ad?mode=7&publisher_dsp_id=74&external_user_id=AQECC2tGjY3QXwJlCfSKAQEBAQE&expiration=1526138980&external_user_id=
i read online that this is some tracking code by adsense, but how come it's not secure? other people said it could be a malware, so what exactly is that?
"Mixed content" means that your page is served over HTTPS, but some sub-components are HTTP. This URL begins http:.
The primary concern in this case is that this domain name can be spoofed on a local network, causing browsers who have contacted your secure site (and displayed a "this connection is secure" icon in their user) to be tricked into also contacting a malicious site.
It is possible that you've misconfigured AdSense. See AdSense ad code support for SSL for instructions. If this is coming from some other provider, then you need to work with them to convert it to HTTPS.
Related
I have a website that was unmantained for a while and my client calls me to inform that the site is "showing obscene" ads between the site normal content. I checked, that the site didn ´t have SSL and a first security measure, added SSL certificate.
after the certificate was introduced, the "obscene banners" disappear from my client´s screen. I suspect that his computer had some kind of malware that injected content on the website. Is this correct? Whas not having SSL making the site vulnerable to content injection and the introduction of the certificate what prevented the infected machine to continue doing this?
Without HTTPS the content is vulnerable to sniffing and modification by some man in the middle. This might be some process on the local machine, on your router, at the router in a public WiFi hotspot or even your ISP. It is not unheard of ISP trying to get even more money from their users by injecting ads into the traffic.
HTTPS prevents both sniffing and modification of the payload and thus prevents such injections.
I have this one page which has an iframe inside of which a survey page is embedded, unfortunately i'm getting "Your connection is not secure" error inside the iframe. Does anyone know how to fix this issue? By the way, the website is SSL certified, not the page i'm trying include inside the iframe. Also this is a php site not wordpress.
Thanks
You are always going to have this problem when an HTTPS page references non secured content. You options are:
move the page hosting the iframe (and its associated content) outwith HTTPS. Although, in theory a HTTP page should be able to reference HTTPS hosted javascript, CSS and images without emitting warnings, this will probably vary by browser
move the survey page into HTTPS. I am guessing that you don't host this yourself - have you contacted the provider to ask if they can provide the service via HTTPS? Have you considered using a different provider?
proxy the HTTP survey page via your server - this would require some clever configuration on the webserver or terminating the SSL connection in front of a proxy operating in reverse mode for your service and rewriting/forwarding mode for the survey. Basically, if you don't control the infrastructure this is probably a non-starter.
re-implement the survey capability within your own site.
Bear in mind that as soon as your site is exposed outside of HTTPS it becomes vulnerable to more attacks.
.htaccess is not going to help - it overrides the behaviour within a vhost - the HTTP and HTTPS sites will operate in seperate vhosts.
I have a site that can be accessed both through http (http://mysite.com) and https (https://mysite.com). The https version holds secured content, while the http content is for public use. Both contents are on the same server.
Some of the https pages contain some elements such as images that are hosted on the http pages. So when one goes to the https site, IE's security alert pops up saying that the content required contains nonsecure data. knowing that there is no risk anyway, I want to stop that popup. Is this something to be done only through the IE's settings on the client side or do I need to do something about the SSL certificate and configurations? Any guide is highly appreciated.
IE isn't the only browser that will give a popup of that nature. From memory, Firefox and Chrome have similar warnings (like they remove the padlock, or make the https go red in the address bar, instead of green).
The only way you can get it to go away is to only reference https resources in https pages. Have you checked to see what you're referring to doesn't have a secure version? All of the tools I have used generally have an equivalent https:// domain.
Please understand that the alert is there for a reason. The SSL certificate in place protects against man-in-the-middle attacks*. If you load in resources from non-https sources, then the man-in-the-middle protection you otherwise would have, is lost. The user's data may still be encrypted, but it doesn't really matter if the user is sending all his data to an attacker's computer that is decrypting it itself!
You need to remember that HTTPS is an all-or-nothing scheme. As soon as you introduce a non-HTTPS element into your page, you have essentially lost all the security that SSL has to provide.
Please mount your resources (or somehow make them available) on both HTTP and HTTPS URLs and load them accordingly. If you don't you are putting your users at unnecessary risk.
*only if you have a fully valid SSL certificate.
I've inherited an ASP.NET web site that has an SSL certificate bought via GoDaddy.
The problem is that the certificate seems to be invalid because of some "mixed content/resources" (I think that's how its called) coming from http sites.
Chrome is showing the red cross over the lock next to https, meaning it's unsecured. The popups says the following:
Click in "What do these mean?" goes here which says:
The [crossed-lock] icon appears when
Google Chrome detects high-risk mixed
content, such as JavaScript, on the
page or when the site presents an
invalid certificate.
The certificate is correct and valid because I tried creating a blank "Hi world" .aspx page and it's showing the green lock with no problems.
Reading a little bit, I found that I should only include images and javascript coming from https sites. The only thing it had coming from http was the addthis widget, but they support https, so I changed to https, but it's still saying that is unsecured.
I've searched for anything else coming from http in the source, but didn't find anything.
Is there some way (site, chrome extension, firefox extension, whatever) that will show exactly which are the resources that are "unsecured"?
I've never dealt with SSL/HTTPS certificates, but I need to fix this issue asap.
Check your site in http://www.whynopadlock.com, which will give you a list of url which is not consider as secure by your browser.
Check the chrome console
You will get it like this,
The page at https://xys displayed insecure content from http://asdasda.png.
Make it http site to https then it will work.
I've found the problem using the Chrome Developer Tools. It was a js that's embedding a flash from an 3rd party site which it's using http.
Are you on Windows? Download and run Fiddler while browsing the site, and watch for HTTP connections.
Mixed content means contents of a web page are mixed with HTTP and HTTPS links.
These links include your JS, CSS, Image, Video, Audio, Iframes etc.
If your website is enabled for HTTPS (SSL certificate has installed), make sure you serve only HTTPS contents throughout your web page.
Iframe from domain with SSLcertificate will be embedded on other site (foo.com).
Must foo.com have SSL cerificate?
If foo.com has SSL certificate, will it be an security error? foo.com has SSL certificate for foo.com, but iframe domain has other SSL certificate.
If foo.com hasn't got SSL certificate, will it be an security error?
No.
You will only get a security error if the embedding site uses SSL, but the iFramed one does not. Whether the sites use different certificates or not, that does not matter.
No. (Isn't this the same question as #1?)
Summary
Having different certificates between the main page and iframed pages is not a problem.
Embedding https:// pages with <iframe /> on a http:// page is not a problem.
However, if you are running a https:// secured page that embeds non-secure pages via http://, then you might get something like this (Internet Explorer):
It depends on the browser and its settings. For example, in IE you can turn this off:
The best way to look at an iFrame is to see it as almost a separate browser. In the case of foo.com not being SSL but the iFramed site being SSL you will not get any errors.
If you switch this around, where foo.com has SSL and the IFramed site doesn't, you can get a security warning about mixed-content from the browser.
It does not matter if the two websites use different SSL certificates. However, if the website that is being iframed is not SSL protected you will get a partially encrypted error message even if the website with the iframe embedded on it is SSL protected. I only know this because this is what I am dealing with right now. My web page was only secured after I took out the iframed website that did not have SSL protection.
While the main website (which contains the iframe) doesn't have to be using SSL, it really should, at least if security is a concern (which is the point of using SSL).
Not doing so prevents the user from checking that the iframe is indeed served securely and from which site it's from, which makes its usage of SSL useless. (Examples here.)