Loading HTTPS content on HTTP pages - security

Can non-secure pages (HTTP) load secure content (HTTPS) without any unwanted side effect (eg: browser alerts, failed load, etc)?
I know secure (HTTPS) pages shouldn't load non-secure (HTTP) content and that protocol-less URLs can help alleviate this problem. I would like to know if the opposite is also true.
Thanks,
Omar

The only problem would be if the User Agent doesn't support HTTPS, otherwise loading secure content on a non-secure page should work and shouldn't generate warnings.
Regarding whether it SHOULD be done, read: Is there any reason not to serve https content on a page served over http?

Related

I want one particular page to not take https

I have this one page which has an iframe inside of which a survey page is embedded, unfortunately i'm getting "Your connection is not secure" error inside the iframe. Does anyone know how to fix this issue? By the way, the website is SSL certified, not the page i'm trying include inside the iframe. Also this is a php site not wordpress.
Thanks
You are always going to have this problem when an HTTPS page references non secured content. You options are:
move the page hosting the iframe (and its associated content) outwith HTTPS. Although, in theory a HTTP page should be able to reference HTTPS hosted javascript, CSS and images without emitting warnings, this will probably vary by browser
move the survey page into HTTPS. I am guessing that you don't host this yourself - have you contacted the provider to ask if they can provide the service via HTTPS? Have you considered using a different provider?
proxy the HTTP survey page via your server - this would require some clever configuration on the webserver or terminating the SSL connection in front of a proxy operating in reverse mode for your service and rewriting/forwarding mode for the survey. Basically, if you don't control the infrastructure this is probably a non-starter.
re-implement the survey capability within your own site.
Bear in mind that as soon as your site is exposed outside of HTTPS it becomes vulnerable to more attacks.
.htaccess is not going to help - it overrides the behaviour within a vhost - the HTTP and HTTPS sites will operate in seperate vhosts.

How to Handle Port Redirection for HSTS

Currently in the process of setting up a new personal server. I've been reading about HSTS (thanks EFF!), as well as the steps for implementing on Nginx (ex: here).
What I haven't seen clearly spelled out is how to handle the initial redirect. Do I serve some static error content at port 80, redirecting to the actual site at HTTPS?
A lot of what I've read so far suggests that serving from HTTP is making your site vulnerable to MITM attacks. Others seem to suggest that as long as you have the Secure flag set on any cookies instantiated, you're good. Of course, plebeian that I am, I'm not on the preloaded HSTS site list, so that's out.
What's the deal here? Should I serve port 80 and redirect for convenience of site visitors, or am I exposing them to attack?
Full-disclosure: Non-Ops by trade, and non-secure content being served, just a hungry mind with a learning opportunity.
On your site at port 80, you just respond with a 301 response code redirecting the user to your HTTPS site at port 443. The secure site then send the "Strict-Transport-Security" header.
This will still leave your users vulnerable to man-in-the-middle attacks the very first time they visit your site. You can only mitigate this by getting your site on the preloaded HSTS list.
Don't set any cookies from the insecure site and always use the secure flag when setting cookies from the secure one.

Secure HTTPS not working in Magento under CloudFlare

Here is my problem:
I have set magento to run under SSL setting the frontend secure option on admin to Yes
The site run under cloudflare
I set a page rule on cloudflare (according to the support instruction) that goes:
http://fabshopper.com/*
Always uses HTTPS
I'm using ultimo theme in magento
When I open the site in the browser it shows the HTTPS connection but most of the content is not load because the links are HTTP (including CSS, Script, images).
Ultimo theme is supposed to create link either HTTP or HTTPS according to the magento settings, but the link I'm getting are HTTP
I ran out off ideas :(
Can anyone give me an hint?
Thanks
I go through link provided by you and found many URLs loaded from insecure server. check below few of them:
The page at 'https://www.fabshopper.com/' was loaded over HTTPS, but displayed insecure content from 'http://www.fabshopper.com/skin/frontend/ultimo/fabshopper/images/fab_shopper.png': this content should also be loaded over HTTPS.
The page at 'https://www.fabshopper.com/' was loaded over HTTPS, but displayed insecure content from 'http://www.fabshopper.com/media/wysiwyg/autumn-cardigans.png': this content should also be loaded over HTTPS.
Just change the HTTP to HTTPS of all insecure urls and it will solve your problem.

Allow non-ssl content from external websites in an HTTPS website under IIS

I recently put my website under SSL. I've been able to adapt the website so that most of the content is under SSL, but some data, like Twitter avatars, are on an http website, so I'm receiving warnings, at least in Chrome.
Is there a policy in IIS to enable fetching non-ssl data from pages outside website's domain?
Is it depending on browser, on the source code, or on server settings?
If you insert direct HTTP links, the browser will complain (and this is correct). One of the options is to cache the data on your server and send it as "own" links for the server.
I believe it will, but the browser will complain about unsecured links usually.

IE's security alert removal

I have a site that can be accessed both through http (http://mysite.com) and https (https://mysite.com). The https version holds secured content, while the http content is for public use. Both contents are on the same server.
Some of the https pages contain some elements such as images that are hosted on the http pages. So when one goes to the https site, IE's security alert pops up saying that the content required contains nonsecure data. knowing that there is no risk anyway, I want to stop that popup. Is this something to be done only through the IE's settings on the client side or do I need to do something about the SSL certificate and configurations? Any guide is highly appreciated.
IE isn't the only browser that will give a popup of that nature. From memory, Firefox and Chrome have similar warnings (like they remove the padlock, or make the https go red in the address bar, instead of green).
The only way you can get it to go away is to only reference https resources in https pages. Have you checked to see what you're referring to doesn't have a secure version? All of the tools I have used generally have an equivalent https:// domain.
Please understand that the alert is there for a reason. The SSL certificate in place protects against man-in-the-middle attacks*. If you load in resources from non-https sources, then the man-in-the-middle protection you otherwise would have, is lost. The user's data may still be encrypted, but it doesn't really matter if the user is sending all his data to an attacker's computer that is decrypting it itself!
You need to remember that HTTPS is an all-or-nothing scheme. As soon as you introduce a non-HTTPS element into your page, you have essentially lost all the security that SSL has to provide.
Please mount your resources (or somehow make them available) on both HTTP and HTTPS URLs and load them accordingly. If you don't you are putting your users at unnecessary risk.
*only if you have a fully valid SSL certificate.

Resources