I've got a client who is reporting very strange security errors I've not seen before on Windows 7 using this link
The page won't load any of the assets with the error: "this site makes use of a SHA-1 certificate, it's recommended you use security certificates with algorithms stronger than SHA-1"
Here is the console:
Can anyone tell me why this might be happening?
The site uses a SHA-256 with RSA certificate, and why does Firefox even need to see the certificate, it's not being requested over https?
Can anyone tell me why this might be happening?
You are including https resources from sites which are using a certificate signed with SHA-1. If you look closely at the console log and at the links provided you will see access to
https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js
https://connect.facebook.net/en_US/all.js
https://fonts.googleapis.com/css?family=Lato:400,100,300,700,900
https://fonts.gstatic.com/s/lato/v11/9k-RPmcnxYEPm8CNFsH2gg.woff
....
The site uses a SHA-256 with RSA certificate ...
The certificate of the site does not matter for included resources from external sites.
... and why does Firefox even need to see the certificate, it's not being requested over https?
Because you've included the resources as https. Just look at your code and you will find something like
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
Most likely it is because your site uses an SHA-1 certificate. SHA-1 is an older encryption algorithm that is now considered pretty weak; Firefox, Chrome, and Windows will stop accepting it by 2017. You might want to consider upgrading to an SHA-2 certificate.
Related
I have a few applications relying on hash functions, which were developed a while ago before browsers changed their policy to restrict Crypto.subtle to HTTPS connections.
Deploying the webapps on secure connection isn't a problem for me, but testing them locally is.
Is there a configuration in about:config that allows me to change the setting, for FireFox, Chrome, and Safari?
Probably too late to help you, but there's a config flag available on Chrome that allows you to specify insecure contexts that should be considered secure.
On Chrome, open chrome://flags and search for the flag "Insecure origins treated as secure". Add the insecure context domains you want to test on and relaunch the browser. Works for me.
I couldn't find a similar flag on Firefox.
We recently updated the ssl certificate on our website and it works fine on chrome and firefox but when I use safari or edge on windows I get this error:
Any specific reason why this is happening, I manually removed the certificate and after that I visited the site again and didn't even save the certificate, why is that?
I had a look on the server logs, but couldn't find anything specific related to this issue.
This is what happens if I click on "view the certificate" :
Any help or input would be appreciated.
Website is not loading on Safari browser with SSL. Site is running on https (SSL) layer. Please refer attached screenshot to know more.
click here to see screenshot
P.S. I am using Windows 10 & SSL purchased from Godaddy
Safari refuses to connect to servers that don't match the minimum security requirements defined by Apple.
For example and example.
It will be necessary to contact the administrator of the server to be compliant with the standards or you can try a different browser (try IE, it never complains).
Several users have emailed us to report that they cannot access our site using Firefox because we're using SSLv3. The problem is, we discontinued support for SSLv3 a while ago. I've tested our site using the Qualys SSL Labs scanner and the report says we don't support SSLv3. I've also tried initiating a handshake from the command line using SSLv3 and it returns the correct error.
Has anybody dealt with this? Could anybody guess what's going on here? It's driving me nuts. I've tried restarting our servers, changing what ciphers we support (not protocols-- we only support TLSv1), promoting new servers to master via keepalived, and more. Users continue to complain that Firefox won't let them access our site.
I am working on a web development project and I was testing it primarily on Firefox. However, when I tried it on Google Chrome, it would not load completely and Chrome would warn me that the site had "insecure content". After searching for answers, I was advised to make my website use "https" rather than "http". I do not know much about SSL or anything like it, but I followed a set of instructions for setting up Apache to work with SSL. The instructions are here:
https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04
I followed them. The good news is, my website is accessable by https. The bad news is, unless https is typed, the website is inaccessible. On top of that, both Chrome and Firefox present messages saying "this certificate is not trusted", which is ironic, since I only did any of this to secure the site in the first place.
Can anyone show me where I went wrong or give a more complete explanation of what's going on? I am working on Ubuntu 12.10 with Apache 2 and PHP5.
you can search online to get the best SSL vendor and use that we use symantec at work http://www.symantec.com/theme.jsp?themeid=compare-ssl-certificates
use the below javascript to redirect http to https.
window.location.replace("http://stackoverflow.com");
"this certificate is not trusted" message is due to the fact that you are using a self-generated certificate. SSL uses a trusted third party (certificate authority) to ensure secure communication. You will need to purchase a certificate from one of these for your production environment. Simple google SSL certificate and you will get a whole bunch of options.